From: Ido Schimmel <idosch@nvidia.com>
To: Yang Yang <n05ec@lzu.edu.cn>
Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
pabeni@redhat.com, razor@blackwall.org, andrew+netdev@lunn.ch,
horms@kernel.org, florian.fainelli@broadcom.com,
roopa@cumulusnetworks.com, dlstevens@us.ibm.com, nb@tipi-net.de,
netdev@vger.kernel.org, bridge@lists.linux.dev,
linux-kernel@vger.kernel.org, yifanwucs@gmail.com,
tomapufckgml@gmail.com, tanyuan98@outlook.com, bird@lzu.edu.cn
Subject: Re: [PATCH net 2/3] bridge: br_nd_send: validate ND option lengths
Date: Thu, 26 Mar 2026 18:30:07 +0200 [thread overview]
Message-ID: <20260326163007.GB1051615@shredder> (raw)
In-Reply-To: <20260326034441.2037420-3-n05ec@lzu.edu.cn>
On Thu, Mar 26, 2026 at 03:44:40AM +0000, Yang Yang wrote:
> br_nd_send() walks ND options according to option-provided lengths.
> A malformed option can make the parser advance beyond the computed
> option span or use a too-short source LLADDR option payload.
>
> Validate option lengths against the remaining NS option area before
> advancing, and only read source LLADDR when the option is large enough
> for an Ethernet address.
>
> Fixes: ed842faeb2bd ("bridge: suppress nd pkts on BR_NEIGH_SUPPRESS ports")
> Cc: stable@vger.kernel.org
> Reported-by: Yifan Wu <yifanwucs@gmail.com>
> Reported-by: Juefei Pu <tomapufckgml@gmail.com>
> Tested-by: Ao Zhou <n05ec@lzu.edu.cn>
> Co-developed-by: Yuan Tan <tanyuan98@outlook.com>
> Signed-off-by: Yuan Tan <tanyuan98@outlook.com>
> Suggested-by: Xin Liu <bird@lzu.edu.cn>
> Signed-off-by: Yang Yang <n05ec@lzu.edu.cn>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
The AI review [1] is correct that the length check for the
ND_OPT_SOURCE_LL_ADDR option is not strictly necessary, but it makes it
clear that the access is valid and it's harmless.
The other comment is about another existing issue in the code, but it's
less severe and shouldn't delay this patch.
[1] https://sashiko.dev/#/patchset/20260326034441.2037420-1-n05ec%40lzu.edu.cn
next prev parent reply other threads:[~2026-03-26 16:30 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-26 3:44 [PATCH net 0/3] bridge/vxlan: harden ND option parsing paths Yang Yang
2026-03-26 3:44 ` [PATCH net 1/3] bridge: br_nd_send: linearize skb before parsing ND options Yang Yang
2026-03-26 16:29 ` Ido Schimmel
2026-03-26 3:44 ` [PATCH net 2/3] bridge: br_nd_send: validate ND option lengths Yang Yang
2026-03-26 16:30 ` Ido Schimmel [this message]
2026-03-26 3:44 ` [PATCH net 3/3] vxlan: validate ND option lengths in vxlan_na_create Yang Yang
2026-03-26 16:30 ` Ido Schimmel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260326163007.GB1051615@shredder \
--to=idosch@nvidia.com \
--cc=andrew+netdev@lunn.ch \
--cc=bird@lzu.edu.cn \
--cc=bridge@lists.linux.dev \
--cc=davem@davemloft.net \
--cc=dlstevens@us.ibm.com \
--cc=edumazet@google.com \
--cc=florian.fainelli@broadcom.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=n05ec@lzu.edu.cn \
--cc=nb@tipi-net.de \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=razor@blackwall.org \
--cc=roopa@cumulusnetworks.com \
--cc=tanyuan98@outlook.com \
--cc=tomapufckgml@gmail.com \
--cc=yifanwucs@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox