[PATCH net] ipv6: rpl: fix hdrlen overflow in ipv6_rpl_srh

public inbox for netdev@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH net] ipv6: rpl: fix hdrlen overflow in ipv6_rpl_srh_decompress()
@ 2026-05-01  6:32 HACKE-RC
  2026-05-01 23:42 ` Jakub Kicinski
  0 siblings, 1 reply; 2+ messages in thread
From: HACKE-RC @ 2026-05-01  6:32 UTC (permalink / raw)
  To: David S . Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni
  Cc: Simon Horman, Alexander Aring, netdev, linux-kernel, HACKE-RC

ipv6_rpl_srh_decompress() computes:

    outhdr->hdrlen = (((n + 1) * sizeof(struct in6_addr)) >> 3);

hdrlen is __u8. For n >= 127 the result exceeds 255 and silently
truncates. With n=127 (cmpri=15, cmpre=15, pad=0, hdrlen=16):

    (128 * 16) >> 3 = 256, truncated to 0 as __u8

The caller in ipv6_rpl_srh_rcv() then places the compressed header
at buf + ((ohdr->hdrlen + 1) << 3). With hdrlen=0 this is buf + 8,
but the decompressed region occupies buf[0..2055] (8-byte header
plus 128 full addresses). The compressed header overlaps the
decompressed data, and ipv6_rpl_srh_compress() writes into this
overlap, corrupting the routing header of the forwarded packet.

The existing guard at exthdrs.c:546 checks (n + 1) > 255, which
prevents n+1 from overflowing unsigned char (the segments_left
field), but does not prevent the computed hdrlen from overflowing
__u8. n=127 passes because 128 <= 255, yet hdrlen=256 does not
fit.

Tighten the bound to (n + 1) > 127. This caps n at 126, giving
hdrlen = (127 * 16) >> 3 = 254, which fits in __u8. The compressed
header then lands at buf + ((254 + 1) << 3) = buf + 2040, exactly
past the decompressed region (buf[0..2039]). No overlap. 127
segments is well beyond any realistic RPL deployment.

Fixes: 8610c7c6e3bd ("net: ipv6: add support for rpl sr exthdr")
Signed-off-by: HACKE-RC <rc@rexion.ai>
---
 net/ipv6/exthdrs.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/ipv6/exthdrs.c b/net/ipv6/exthdrs.c
index 95558fd6f..35a02584f 100644
--- a/net/ipv6/exthdrs.c
+++ b/net/ipv6/exthdrs.c
@@ -543,7 +543,7 @@ static int ipv6_rpl_srh_rcv(struct sk_buff *skb)
 	 * unsigned char which is segments_left field. Should not be
 	 * higher than that.
 	 */
-	if (r || (n + 1) > 255) {
+	if (r || (n + 1) > 127) {
 		kfree_skb(skb);
 		return -1;
 	}
-- 
2.54.0

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH net] ipv6: rpl: fix hdrlen overflow in ipv6_rpl_srh_decompress()
  2026-05-01  6:32 [PATCH net] ipv6: rpl: fix hdrlen overflow in ipv6_rpl_srh_decompress() HACKE-RC
@ 2026-05-01 23:42 ` Jakub Kicinski
  0 siblings, 0 replies; 2+ messages in thread
From: Jakub Kicinski @ 2026-05-01 23:42 UTC (permalink / raw)
  To: HACKE-RC
  Cc: David S . Miller, Eric Dumazet, Paolo Abeni, Simon Horman,
	Alexander Aring, netdev, linux-kernel

On Fri,  1 May 2026 12:02:42 +0530 HACKE-RC wrote:
> From: HACKE-RC <rc@rexion.ai>

We need a real name, if you don't want to provide one please feel free
to send just the bug report and one of the maintainers will generate
the patch. Code is cheap these days.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-05-01 23:42 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-01  6:32 [PATCH net] ipv6: rpl: fix hdrlen overflow in ipv6_rpl_srh_decompress() HACKE-RC
2026-05-01 23:42 ` Jakub Kicinski

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox