From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AF69137CD45 for ; Tue, 28 Apr 2026 20:53:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777409638; cv=none; b=hcFrnwiDxiTF7h75n+TgJpE+NqhqJctkOMxufsg5ASsOLJRe1WeCxnAE1T9shXEM3q3gp9eO6S3h+lKMWsIR0aG/srP2sgt9TZEN2DuXv7n2MeiFqUs0uiyTCOmnVU7zYhkudDm5wmZunFq8UWGccvYWYhYtMFduHNRU1Enm6+c= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777409638; c=relaxed/simple; bh=4oTH/xrcufxBq/Rnkb7ZiwjmAVVhUjri5mktdyDyRLQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=XNCE+tvV0OAqPGPGvGb8yHIra2qGu68KHhwEe38fH9cmR8a40iimlMZu/Yknok5gg64ZAGljEvRb+/SRHO0eo/PYxfJDwCyvY2lQI9nM9LCdzZsSlBfUamF4uAhpBRm/jzAEJaONTphGMyru/rJ1SIbS8oH6CZ6Eop41aWKURI0= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=IMjOCamP; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="IMjOCamP" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3BBB4C2BCAF; Tue, 28 Apr 2026 20:53:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1777409638; bh=4oTH/xrcufxBq/Rnkb7ZiwjmAVVhUjri5mktdyDyRLQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=IMjOCamPFnpW0vSwcjTB7BSKGr3VYx8qSObVjX74vZEZV3cGGvXhfAg3tbF7eKm08 RRQMhaDc5Ax77u+1kg+3Q0B+klCwrmWwgQPy6GQfdzPQ3w7BeK89EFKxFdmcrHTTgn 3Ls6qxOAX3Xk2CZLmWLyRBMuB6ZOR8y55yeZX5HPTfMO3hS7iP3w58bcGQz/xDFZkb O7kZnnKoGADnlFx7uMoqlY4cAjZZNmcQo/hhyN0a+LzTklqYIPwZahcfXJnD4/b2Td gVn/DSUIjH/Tw0/Z74mVyYa8hshpTvNg0/eCqaCbJAJOiF17EqSTn1OJhAw9i5zHTk j9Q/WTI72BzMA== From: Jakub Kicinski To: davem@davemloft.net Cc: netdev@vger.kernel.org, edumazet@google.com, pabeni@redhat.com, andrew+netdev@lunn.ch, horms@kernel.org, willemdebruijn.kernel@gmail.com, daniel.zahka@gmail.com, Jakub Kicinski Subject: [PATCH net-next 3/3] psp: validate IPv4 header fields in psp_dev_rcv() Date: Tue, 28 Apr 2026 13:53:52 -0700 Message-ID: <20260428205352.1247325-4-kuba@kernel.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260428205352.1247325-1-kuba@kernel.org> References: <20260428205352.1247325-1-kuba@kernel.org> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit psp_dev_rcv() is called from the NIC driver's RX completion path before the frame reaches ip_rcv_core(), so the IP header has not been validated in SW, yet. We expect that the device has done all this validation, but let's also add the SW checks, to avoid surprises. Signed-off-by: Jakub Kicinski --- net/psp/psp_main.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/net/psp/psp_main.c b/net/psp/psp_main.c index f069117c867a..524978dfb8fd 100644 --- a/net/psp/psp_main.c +++ b/net/psp/psp_main.c @@ -300,6 +300,9 @@ int psp_dev_rcv(struct sk_buff *skb, u16 dev_id, u8 generation, bool strip_icv) if (proto == htons(ETH_P_IP)) { struct iphdr *iph = (struct iphdr *)(skb->data + l2_hlen); + if (unlikely(iph->ihl < 5)) + return -EINVAL; + is_udp = iph->protocol == IPPROTO_UDP; l3_hlen = iph->ihl * 4; if (l3_hlen != sizeof(struct iphdr) && @@ -335,6 +338,9 @@ int psp_dev_rcv(struct sk_buff *skb, u16 dev_id, u8 generation, bool strip_icv) if (proto == htons(ETH_P_IP)) { struct iphdr *iph = (struct iphdr *)(skb->data + l2_hlen); + if (unlikely(ntohs(iph->tot_len) < l3_hlen + encap)) + return -EINVAL; + iph->protocol = psph->nexthdr; iph->tot_len = htons(ntohs(iph->tot_len) - encap); iph->check = 0; @@ -342,6 +348,9 @@ int psp_dev_rcv(struct sk_buff *skb, u16 dev_id, u8 generation, bool strip_icv) } else { struct ipv6hdr *ipv6h = (struct ipv6hdr *)(skb->data + l2_hlen); + if (unlikely(ntohs(ipv6h->payload_len) < encap)) + return -EINVAL; + ipv6h->nexthdr = psph->nexthdr; ipv6h->payload_len = htons(ntohs(ipv6h->payload_len) - encap); } -- 2.54.0