From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from out-179.mta0.migadu.com (out-179.mta0.migadu.com [91.218.175.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AA33819343E for ; Sat, 23 May 2026 13:04:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.218.175.179 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779541469; cv=none; b=RfDJhN0+JGUS9Oa1rxurPUYUaWn7YH01NfQxMB0blgp/9hLHfW1JgfCg5oJWpUbD1jaXB6M5TmUtHXcBIbBh2hZdfGUvEcKGTxi2u1AtQ8jXSz7kFPh65fQw1lcmxKcm5tJLZjwwE2ZFEuL3Dj3B3GsIpoXxVR8ecyqtDHF9xMw= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779541469; c=relaxed/simple; bh=eEl4h13aEGggQbGNLeM0QYTHvyscGGMytZxSMyoWPyU=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=WyHgAKwGmYiE4lRM5UdusipR8NcUoGddK6U3rOBTysf+s0sN77ULx+OWc4Mv3yEIU432tk5G7lJ3d/KB2juWb5qgGANq02m4ac3FxPBWReesRiSlbzg0E5pgyDsORRbKrsGpiU6XfwPhdoWwVZusqtIB5GRmiilsxRkL2aM5wTM= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=ZISTbxDf; arc=none smtp.client-ip=91.218.175.179 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="ZISTbxDf" X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1779541455; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=7YubSZ9kYFNF5kRdJe7Y7jxoT376P/W7OO4m2z6juOQ=; b=ZISTbxDfi+eFv2MIrTTwPdZZaJF6kI2nww4DIcva1zOvoP8V9b1mgUkZBvGoyheJMvGLIa hxy8BK/YRa4vBBBBzwCsXXeYH0l1IG1H3heerr/4YhtmZnnfTVao0S30BxhI6gYiSc8kWx +CdoFSawX4uv5vrEk38USRH3VXWTwcg= From: luka.gejak@linux.dev To: "David S . Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman Cc: Luka Gejak , Felix Maurer , netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH net] net: hsr: fix potential OOB access in supervision frame handling Date: Sat, 23 May 2026 15:03:30 +0200 Message-ID: <20260523130330.61880-1-luka.gejak@linux.dev> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Migadu-Flow: FLOW_OUT From: Luka Gejak Ensure the entire TLV header is linearized before access by adding sizeof(struct hsr_sup_tlv) to the pskb_may_pull() calls. Without this, a truncated frame could cause an out-of-bounds access. Assisted-by: Gemini:Gemini-3.1-flash Fixes: eafaa88b3eb7 ("net: hsr: Add support for redbox supervision frames") Signed-off-by: Luka Gejak --- NOTE: This patch was previously part of a net-next series and was seperated as requested by Jakub Kicinski. Link to the old series is [1]. [1]:https://lore.kernel.org/netdev/20260513182657.20346-1-luka.gejak@linux.dev/ net/hsr/hsr_forward.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/hsr/hsr_forward.c b/net/hsr/hsr_forward.c index 0aca859c88cb..f669a226d728 100644 --- a/net/hsr/hsr_forward.c +++ b/net/hsr/hsr_forward.c @@ -84,7 +84,7 @@ static bool is_supervision_frame(struct hsr_priv *hsr, struct sk_buff *skb) /* Get next tlv */ total_length += hsr_sup_tag->tlv.HSR_TLV_length; - if (!pskb_may_pull(skb, total_length)) + if (!pskb_may_pull(skb, total_length + sizeof(struct hsr_sup_tlv))) return false; skb_pull(skb, total_length); hsr_sup_tlv = (struct hsr_sup_tlv *)skb->data; @@ -100,7 +100,7 @@ static bool is_supervision_frame(struct hsr_priv *hsr, struct sk_buff *skb) /* make sure another tlv follows */ total_length += sizeof(struct hsr_sup_tlv) + hsr_sup_tlv->HSR_TLV_length; - if (!pskb_may_pull(skb, total_length)) + if (!pskb_may_pull(skb, total_length + sizeof(struct hsr_sup_tlv))) return false; /* get next tlv */ -- 2.54.0