From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mx1.secunet.com (mx1.secunet.com [62.96.220.36]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6469D37FF68 for ; Mon, 23 Mar 2026 08:35:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=62.96.220.36 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774254903; cv=none; b=l4DbresFwiPBUZ53lRlZSqKWfeXFUF7QzhkKJYUyfvylxn8AnII8LEreUXdVSAku+wQ9352p3UD1Kisay8PB4/7+0HArTse+xcloXR5m8UPaR3aKaXU4daAR6skOzHOJb5fVxQZ+BMk3WYoxAp6JVWU1+DbfUyuWYuch2m1w5Ck= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774254903; c=relaxed/simple; bh=W9cYPlOuRs6AeX3L0EiYVoSNlFfUj6H4dQpRw+2QI8E=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=UB1Dn1DdV1lJLyNyBn+APVQg8IIaVl0COd0abFmpDAXGDJh1Tf5xkk27tcAOGgm8P6QEyDom9tIj2VjUuobvE1xyqNysAEX0Jtf3MepmK/HImkq9zoPktXLMhTKTYZ6A5RbvVQz6+RzSMyaN1Knxo73Wl8Qy/DcwNzh9tEG7pC4= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=secunet.com; spf=pass smtp.mailfrom=secunet.com; dkim=pass (2048-bit key) header.d=secunet.com header.i=@secunet.com header.b=kZQBEbrb; arc=none smtp.client-ip=62.96.220.36 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=secunet.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=secunet.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=secunet.com header.i=@secunet.com header.b="kZQBEbrb" Received: from localhost (localhost [127.0.0.1]) by mx1.secunet.com (Postfix) with ESMTP id B0FBA205ED; Mon, 23 Mar 2026 09:34:55 +0100 (CET) X-Virus-Scanned: by secunet Received: from mx1.secunet.com ([127.0.0.1]) by localhost (mx1.secunet.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z_ueraUbE0fN; Mon, 23 Mar 2026 09:34:55 +0100 (CET) Received: from EXCH-01.secunet.de (rl1.secunet.de [10.32.0.231]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.secunet.com (Postfix) with ESMTPS id 22EDE207B0; Mon, 23 Mar 2026 09:34:55 +0100 (CET) DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.secunet.com 22EDE207B0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=secunet.com; s=202301; t=1774254895; bh=oGTTS155kk0XOGm6IcbrT5UQynblWP4pLe0iI3GwsYg=; h=From:To:CC:Subject:Date:In-Reply-To:References:From; b=kZQBEbrbbUjnMyYbwL5q3zMmoO9VamaJ5Iuvt9vwEAQdCefxHfvDUo5aiKVZ1Z9nF oLxcW61fQml1AhzfPx5Bk8W6N74vrI7xro8lbA7XuPev7RmX+A0ZHGaapfiJ/3cjUU CkzmXTRsbVTB+RrK2oDzpnteRoWeSLEnKPNt4ZqKNj5uHl3hN5rJZosuCuJVG6ltwG 8eQE3EGtttFUL4AOIkNGVYjEs8DjurxYvV02l2KOtSGcjqDiVtRj+sIUT3Q7GNhdK9 Q+lbc3gIBcxbkB9Cf01egJYTIBhxCREepkv17MU7PCmXwUtIZoyw1wZPXU8Up3MTVv aJai4vjbwt8NA== Received: from secunet.com (10.182.7.193) by EXCH-01.secunet.de (10.32.0.171) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.17; Mon, 23 Mar 2026 09:34:54 +0100 Received: (nullmailer pid 2741812 invoked by uid 1000); Mon, 23 Mar 2026 08:34:49 -0000 From: Steffen Klassert To: David Miller , Jakub Kicinski CC: Herbert Xu , Steffen Klassert , Subject: [PATCH 05/20] xfrm: iptfs: validate inner IPv4 header length in IPTFS payload Date: Mon, 23 Mar 2026 09:33:46 +0100 Message-ID: <20260323083440.2741292-6-steffen.klassert@secunet.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260323083440.2741292-1-steffen.klassert@secunet.com> References: <20260323083440.2741292-1-steffen.klassert@secunet.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-ClientProxiedBy: EXCH-04.secunet.de (10.32.0.184) To EXCH-01.secunet.de (10.32.0.171) From: Roshan Kumar Add validation of the inner IPv4 packet tot_len and ihl fields parsed from decrypted IPTFS payloads in __input_process_payload(). A crafted ESP packet containing an inner IPv4 header with tot_len=0 causes an infinite loop: iplen=0 leads to capturelen=min(0, remaining)=0, so the data offset never advances and the while(data < tail) loop never terminates, spinning forever in softirq context. Reject inner IPv4 packets where tot_len < ihl*4 or ihl*4 < sizeof(struct iphdr), which catches both the tot_len=0 case and malformed ihl values. The normal IP stack performs this validation in ip_rcv_core(), but IPTFS extracts and processes inner packets before they reach that layer. Reported-by: Roshan Kumar Fixes: 6c82d2433671 ("xfrm: iptfs: add basic receive packet (tunnel egress) handling") Cc: stable@vger.kernel.org Signed-off-by: Roshan Kumar Signed-off-by: Steffen Klassert --- net/xfrm/xfrm_iptfs.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/net/xfrm/xfrm_iptfs.c b/net/xfrm/xfrm_iptfs.c index 3b6d7284fc70..0747d1cfa333 100644 --- a/net/xfrm/xfrm_iptfs.c +++ b/net/xfrm/xfrm_iptfs.c @@ -991,6 +991,11 @@ static bool __input_process_payload(struct xfrm_state *x, u32 data, iplen = be16_to_cpu(iph->tot_len); iphlen = iph->ihl << 2; + if (iplen < iphlen || iphlen < sizeof(*iph)) { + XFRM_INC_STATS(net, + LINUX_MIB_XFRMINHDRERROR); + goto done; + } protocol = cpu_to_be16(ETH_P_IP); XFRM_MODE_SKB_CB(skbseq->root_skb)->tos = iph->tos; } else if (iph->version == 0x6) { -- 2.43.0