From: Jakub Kicinski <kuba@kernel.org>
To: davem@davemloft.net
Cc: netdev@vger.kernel.org, edumazet@google.com, pabeni@redhat.com,
andrew+netdev@lunn.ch, horms@kernel.org,
willemdebruijn.kernel@gmail.com, daniel.zahka@gmail.com,
Jakub Kicinski <kuba@kernel.org>
Subject: [PATCH net-next 3/3] psp: validate IPv4 header fields in psp_dev_rcv()
Date: Tue, 28 Apr 2026 13:53:52 -0700 [thread overview]
Message-ID: <20260428205352.1247325-4-kuba@kernel.org> (raw)
In-Reply-To: <20260428205352.1247325-1-kuba@kernel.org>
psp_dev_rcv() is called from the NIC driver's RX completion path
before the frame reaches ip_rcv_core(), so the IP header has not
been validated in SW, yet. We expect that the device has done
all this validation, but let's also add the SW checks, to avoid
surprises.
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
---
net/psp/psp_main.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/net/psp/psp_main.c b/net/psp/psp_main.c
index f069117c867a..524978dfb8fd 100644
--- a/net/psp/psp_main.c
+++ b/net/psp/psp_main.c
@@ -300,6 +300,9 @@ int psp_dev_rcv(struct sk_buff *skb, u16 dev_id, u8 generation, bool strip_icv)
if (proto == htons(ETH_P_IP)) {
struct iphdr *iph = (struct iphdr *)(skb->data + l2_hlen);
+ if (unlikely(iph->ihl < 5))
+ return -EINVAL;
+
is_udp = iph->protocol == IPPROTO_UDP;
l3_hlen = iph->ihl * 4;
if (l3_hlen != sizeof(struct iphdr) &&
@@ -335,6 +338,9 @@ int psp_dev_rcv(struct sk_buff *skb, u16 dev_id, u8 generation, bool strip_icv)
if (proto == htons(ETH_P_IP)) {
struct iphdr *iph = (struct iphdr *)(skb->data + l2_hlen);
+ if (unlikely(ntohs(iph->tot_len) < l3_hlen + encap))
+ return -EINVAL;
+
iph->protocol = psph->nexthdr;
iph->tot_len = htons(ntohs(iph->tot_len) - encap);
iph->check = 0;
@@ -342,6 +348,9 @@ int psp_dev_rcv(struct sk_buff *skb, u16 dev_id, u8 generation, bool strip_icv)
} else {
struct ipv6hdr *ipv6h = (struct ipv6hdr *)(skb->data + l2_hlen);
+ if (unlikely(ntohs(ipv6h->payload_len) < encap))
+ return -EINVAL;
+
ipv6h->nexthdr = psph->nexthdr;
ipv6h->payload_len = htons(ntohs(ipv6h->payload_len) - encap);
}
--
2.54.0
next prev parent reply other threads:[~2026-04-28 20:53 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-28 20:53 [PATCH net-next 0/3] net: psp: add more validation Jakub Kicinski
2026-04-28 20:53 ` [PATCH net-next 1/3] psp: validate protocol before mutating skb in psp_dev_encapsulate() Jakub Kicinski
2026-04-29 0:12 ` Eric Dumazet
2026-04-29 2:47 ` Willem de Bruijn
2026-04-28 20:53 ` [PATCH net-next 2/3] psp: add a comment about a psp_dev add netlink notification Jakub Kicinski
2026-04-29 2:48 ` Willem de Bruijn
2026-04-28 20:53 ` Jakub Kicinski [this message]
2026-04-29 0:14 ` [PATCH net-next 3/3] psp: validate IPv4 header fields in psp_dev_rcv() Eric Dumazet
2026-04-29 0:22 ` Willem de Bruijn
2026-04-29 1:43 ` Jakub Kicinski
2026-04-29 2:42 ` Willem de Bruijn
2026-04-30 0:40 ` [PATCH net-next 0/3] net: psp: add more validation patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260428205352.1247325-4-kuba@kernel.org \
--to=kuba@kernel.org \
--cc=andrew+netdev@lunn.ch \
--cc=daniel.zahka@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=willemdebruijn.kernel@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox