From: Jakub Kicinski <kuba@kernel.org>
To: edumazet@google.com
Cc: Jakub Kicinski <kuba@kernel.org>,
horms@kernel.org, jhs@mojatatu.com, davem@davemloft.net,
jiri@resnulli.us, km.kim1503@gmail.com, pabeni@redhat.com,
xiyou.wangcong@gmail.com, eric.dumazet@gmail.com,
netdev@vger.kernel.org
Subject: Re: [net,1/2] net: add skb_header_pointer_careful() helper
Date: Tue, 27 Jan 2026 18:55:56 -0800 [thread overview]
Message-ID: <20260128025556.4169217-1-kuba@kernel.org> (raw)
In-Reply-To: <20260127144433.196836-2-edumazet@google.com>
This is an AI-generated review of your patch. The human sending this
email has considered the AI review valid, or at least plausible.
For local reproduction steps see https://netdev-ai.bots.linux.dev/ai-local.html
---
net: add skb_header_pointer_careful() helper
This patch adds a new helper to validate negative offsets before calling
skb_header_pointer(). The commit message states that negative offsets
are supported "as long as the zone starts between skb->head and
skb->data."
> diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
> index 86737076101d..72679aa7af58 100644
> --- a/include/linux/skbuff.h
> +++ b/include/linux/skbuff.h
> @@ -4301,6 +4301,18 @@ skb_header_pointer(const struct sk_buff *skb, int offset, int len, void *buffer)
> skb_headlen(skb), buffer);
> }
>
> +/* Variant of skb_header_pointer() where @offset is user-controlled
> + * and potentially negative.
> + */
> +static inline void * __must_check
> +skb_header_pointer_careful(const struct sk_buff *skb, int offset,
> + int len, void *buffer)
> +{
> + if (unlikely(offset < 0 && -offset > skb_headlen(skb)))
> + return NULL;
Should this check use skb_headroom() instead of skb_headlen()?
The commit message says negative offsets should be valid when the zone
is "between skb->head and skb->data" - that describes the headroom, not
the headlen. For a negative offset, skb_header_pointer() returns
skb->data + offset, which points into the headroom area.
skb_headlen() returns the linear data length after skb->data (skb->len
minus skb->data_len), while skb_headroom() returns the space before
skb->data (skb->data minus skb->head).
These values are quite different in practice - headroom is typically
small (2-128 bytes), while headlen can be up to MTU size (~1500 bytes).
With the current check, an offset like -100 would pass validation when
skb_headlen is 1500, but could read before skb->head if skb_headroom is
only 2 bytes.
The existing offset_valid() function in net/sched/act_pedit.c uses
skb_headroom() for this same type of check:
if (offset < 0 && -offset > skb_headroom(skb))
return false;
> + return skb_header_pointer(skb, offset, len, buffer);
> +}
--
pw-bot: cr
next prev parent reply other threads:[~2026-01-28 2:55 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-27 14:44 [PATCH net 0/2] net: fix potential crash in net/sched/cls_u32.c Eric Dumazet
2026-01-27 14:44 ` [PATCH net 1/2] net: add skb_header_pointer_careful() helper Eric Dumazet
2026-01-28 2:55 ` Jakub Kicinski [this message]
2026-01-28 14:01 ` [net,1/2] " Eric Dumazet
2026-01-27 14:44 ` [PATCH net 2/2] net/sched: cls_u32: use skb_header_pointer_careful() Eric Dumazet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260128025556.4169217-1-kuba@kernel.org \
--to=kuba@kernel.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=eric.dumazet@gmail.com \
--cc=horms@kernel.org \
--cc=jhs@mojatatu.com \
--cc=jiri@resnulli.us \
--cc=km.kim1503@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox