[PATCH net] tunnels: do not assume transport header in iptunnel_pmtud_check_icmp()

[PATCH net] tunnels: do not assume transport header in iptunnel_pmtud_check_icmp()

[Eric Dumazet]

In some cases, iptunnel_pmtud_check_icmp() can be called while
skb transport header is not set.

This triggers an out-of-bound access, because
(typeof(skb->transport_header))~0U is 65535.

Access the icmp header based on IPv4 network header,
after making sure icmp->type is present in skb linear part.

Note that iptunnel_pmtud_check_icmpv6()) is fine.

Fixes: 4cb47a8644cc ("tunnels: PMTU discovery support for directly bridged IP packets")
Reported-by: Damiano Melotti <melotti@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
---
 net/ipv4/ip_tunnel_core.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/net/ipv4/ip_tunnel_core.c b/net/ipv4/ip_tunnel_core.c
index 2667f53482bdaf1e693907fc527063d0ddd45580..5f82d84f0f1d0bf863716d8e777f1007f871b9b3 100644
--- a/net/ipv4/ip_tunnel_core.c
+++ b/net/ipv4/ip_tunnel_core.c
@@ -281,7 +281,6 @@ static int iptunnel_pmtud_build_icmp(struct sk_buff *skb, int mtu)
  */
 static int iptunnel_pmtud_check_icmp(struct sk_buff *skb, int mtu)
 {
-	const struct icmphdr *icmph = icmp_hdr(skb);
 	const struct iphdr *iph = ip_hdr(skb);
 
 	if (mtu < 576 || iph->frag_off != htons(IP_DF))
@@ -292,9 +291,17 @@ static int iptunnel_pmtud_check_icmp(struct sk_buff *skb, int mtu)
 	    ipv4_is_lbcast(iph->saddr)  || ipv4_is_multicast(iph->saddr))
 		return 0;
 
-	if (iph->protocol == IPPROTO_ICMP && icmp_is_err(icmph->type))
-		return 0;
+	if (iph->protocol == IPPROTO_ICMP) {
+		const struct icmphdr *icmph;
 
+		if (!pskb_network_may_pull(skb, iph->ihl * 4 +
+						offsetofend(struct icmphdr, type)))
+			return 0;
+		iph = ip_hdr(skb);
+		icmph = (void *)iph + iph->ihl * 4;
+		if (icmp_is_err(icmph->type))
+			return 0;
+	}
 	return iptunnel_pmtud_build_icmp(skb, mtu);
 }
 
-- 
2.54.0.746.g67dd491aae-goog

Re: [PATCH net] tunnels: do not assume transport header in iptunnel_pmtud_check_icmp()

[Kuniyuki Iwashima]

On Fri, May 22, 2026 at 4:55 AM Eric Dumazet <edumazet@google.com> wrote:
>
> In some cases, iptunnel_pmtud_check_icmp() can be called while
> skb transport header is not set.
>
> This triggers an out-of-bound access, because
> (typeof(skb->transport_header))~0U is 65535.
>
> Access the icmp header based on IPv4 network header,
> after making sure icmp->type is present in skb linear part.
>
> Note that iptunnel_pmtud_check_icmpv6()) is fine.
>
> Fixes: 4cb47a8644cc ("tunnels: PMTU discovery support for directly bridged IP packets")
> Reported-by: Damiano Melotti <melotti@google.com>
> Signed-off-by: Eric Dumazet <edumazet@google.com>

Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>

Re: [PATCH net] tunnels: do not assume transport header in iptunnel_pmtud_check_icmp()

[Jakub Kicinski]

On Sun, 24 May 2026 19:55:50 -0700 Kuniyuki Iwashima wrote:
> On Fri, May 22, 2026 at 4:55 AM Eric Dumazet <edumazet@google.com> wrote:
> >
> > In some cases, iptunnel_pmtud_check_icmp() can be called while
> > skb transport header is not set.
> >
> > This triggers an out-of-bound access, because
> > (typeof(skb->transport_header))~0U is 65535.
> >
> > Access the icmp header based on IPv4 network header,
> > after making sure icmp->type is present in skb linear part.
> >
> > Note that iptunnel_pmtud_check_icmpv6()) is fine.
> >
> > Fixes: 4cb47a8644cc ("tunnels: PMTU discovery support for directly bridged IP packets")
> > Reported-by: Damiano Melotti <melotti@google.com>
> > Signed-off-by: Eric Dumazet <edumazet@google.com>  
> 
> Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>

Are we okay with what sashiko is reporting?
If it's legit it may be better to fix in one series

Re: [PATCH net] tunnels: do not assume transport header in iptunnel_pmtud_check_icmp()

[Eric Dumazet]

On Mon, May 25, 2026 at 11:20 AM Jakub Kicinski <kuba@kernel.org> wrote:
>
> On Sun, 24 May 2026 19:55:50 -0700 Kuniyuki Iwashima wrote:
> > On Fri, May 22, 2026 at 4:55 AM Eric Dumazet <edumazet@google.com> wrote:
> > >
> > > In some cases, iptunnel_pmtud_check_icmp() can be called while
> > > skb transport header is not set.
> > >
> > > This triggers an out-of-bound access, because
> > > (typeof(skb->transport_header))~0U is 65535.
> > >
> > > Access the icmp header based on IPv4 network header,
> > > after making sure icmp->type is present in skb linear part.
> > >
> > > Note that iptunnel_pmtud_check_icmpv6()) is fine.
> > >
> > > Fixes: 4cb47a8644cc ("tunnels: PMTU discovery support for directly bridged IP packets")
> > > Reported-by: Damiano Melotti <melotti@google.com>
> > > Signed-off-by: Eric Dumazet <edumazet@google.com>
> >
> > Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
>
> Are we okay with what sashiko is reporting?
> If it's legit it may be better to fix in one series

Maybe, but iptunnel_pmtud_check_icmpv6() is also calling
pskb_may_pull(), and always had.

Perhaps it is time for CONFIG_DEBUG_NET kernels to always reallocate
skb->head at every pskb_may_pull() call, just to expose these bugs.

I fear that a series will never be complete, sashiko will keep finding issues.

I can try a V2, but will probably give up soon.

Re: [PATCH net] tunnels: do not assume transport header in iptunnel_pmtud_check_icmp()

[Jakub Kicinski]

On Mon, 25 May 2026 11:41:59 -0700 Eric Dumazet wrote:
> > Are we okay with what sashiko is reporting?
> > If it's legit it may be better to fix in one series  
> 
> Maybe, but iptunnel_pmtud_check_icmpv6() is also calling
> pskb_may_pull(), and always had.
> 
> Perhaps it is time for CONFIG_DEBUG_NET kernels to always reallocate
> skb->head at every pskb_may_pull() call, just to expose these bugs.

Ack, but callers may ensure pulling just the ip header is already safe
at this point vs pulling an extra L4 hdr.

> I fear that a series will never be complete, sashiko will keep finding issues.
> 
> I can try a V2, but will probably give up soon.

Thanks, let's try v2. If it turns into a rabbit hole we can just apply
v1, LMK.