[PATCH net] vxlan: do not reuse cached ip_hdr() value after skb_tunnel_check_pmtu()

[PATCH net] vxlan: do not reuse cached ip_hdr() value after skb_tunnel_check_pmtu()

[Eric Dumazet]

skb_tunnel_check_pmtu() can change skb->head.

Reusing old_iph afer skb_tunnel_check_pmtu() can cause an UAF.

Use instead ip_hdr(skb) as done in drivers/net/bareudp.c
and drivers/net/geneve.c.

Found by Sashiko.

Fixes: 4cb47a8644cc ("tunnels: PMTU discovery support for directly bridged IP packets")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Stefano Brivio <sbrivio@redhat.com>
---
 drivers/net/vxlan/vxlan_core.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/vxlan/vxlan_core.c b/drivers/net/vxlan/vxlan_core.c
index e88798497503b53cbaf5bffad72cf3e1cc956410..b5b1253ac08ba46933249b06f19d1fe5a2ffd114 100644
--- a/drivers/net/vxlan/vxlan_core.c
+++ b/drivers/net/vxlan/vxlan_core.c
@@ -2531,7 +2531,7 @@ void vxlan_xmit_one(struct sk_buff *skb, struct net_device *dev,
 			goto out_unlock;
 		}
 
-		tos = ip_tunnel_ecn_encap(tos, old_iph, skb);
+		tos = ip_tunnel_ecn_encap(tos, ip_hdr(skb), skb);
 		ttl = ttl ? : ip4_dst_hoplimit(&rt->dst);
 		err = vxlan_build_skb(skb, ndst, sizeof(struct iphdr),
 				      vni, md, flags, udp_sum);
@@ -2605,7 +2605,7 @@ void vxlan_xmit_one(struct sk_buff *skb, struct net_device *dev,
 			goto out_unlock;
 		}
 
-		tos = ip_tunnel_ecn_encap(tos, old_iph, skb);
+		tos = ip_tunnel_ecn_encap(tos, ip_hdr(skb), skb);
 		ttl = ttl ? : ip6_dst_hoplimit(ndst);
 		skb_scrub_packet(skb, xnet);
 		err = vxlan_build_skb(skb, ndst, sizeof(struct ipv6hdr),
-- 
2.54.0.746.g67dd491aae-goog

Re: [PATCH net] vxlan: do not reuse cached ip_hdr() value after skb_tunnel_check_pmtu()

[Stefano Brivio]

On Mon, 25 May 2026 20:36:42 +0000
Eric Dumazet <edumazet@google.com> wrote:

> skb_tunnel_check_pmtu() can change skb->head.
> 
> Reusing old_iph afer skb_tunnel_check_pmtu() can cause an UAF.
> 
> Use instead ip_hdr(skb) as done in drivers/net/bareudp.c
> and drivers/net/geneve.c.
> 
> Found by Sashiko.
> 
> Fixes: 4cb47a8644cc ("tunnels: PMTU discovery support for directly bridged IP packets")
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Cc: Stefano Brivio <sbrivio@redhat.com>

Thanks for fixing this one as well.

I wonder if it would be clearer to reassign old_iph from ip_hdr(skb)
after the call to skb_tunnel_check_pmtu(), similarly to what commit
31392048f55f ("vxlan: Pull inner IP header in vxlan_xmit_one().") did.

Or maybe even to drop old_iph altogether, as it caused both bugs (the
one fixed by 31392048f55f and this one).

Either way, you have a fix ready and I guess the priority is to fix
this, and I could also send a follow-up patch for net-next, so:

Reviewed-by: Stefano Brivio <sbrivio@redhat.com>

> ---
>  drivers/net/vxlan/vxlan_core.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/net/vxlan/vxlan_core.c b/drivers/net/vxlan/vxlan_core.c
> index e88798497503b53cbaf5bffad72cf3e1cc956410..b5b1253ac08ba46933249b06f19d1fe5a2ffd114 100644
> --- a/drivers/net/vxlan/vxlan_core.c
> +++ b/drivers/net/vxlan/vxlan_core.c
> @@ -2531,7 +2531,7 @@ void vxlan_xmit_one(struct sk_buff *skb, struct net_device *dev,
>  			goto out_unlock;
>  		}
>  
> -		tos = ip_tunnel_ecn_encap(tos, old_iph, skb);
> +		tos = ip_tunnel_ecn_encap(tos, ip_hdr(skb), skb);
>  		ttl = ttl ? : ip4_dst_hoplimit(&rt->dst);
>  		err = vxlan_build_skb(skb, ndst, sizeof(struct iphdr),
>  				      vni, md, flags, udp_sum);
> @@ -2605,7 +2605,7 @@ void vxlan_xmit_one(struct sk_buff *skb, struct net_device *dev,
>  			goto out_unlock;
>  		}
>  
> -		tos = ip_tunnel_ecn_encap(tos, old_iph, skb);
> +		tos = ip_tunnel_ecn_encap(tos, ip_hdr(skb), skb);
>  		ttl = ttl ? : ip6_dst_hoplimit(ndst);
>  		skb_scrub_packet(skb, xnet);
>  		err = vxlan_build_skb(skb, ndst, sizeof(struct ipv6hdr),

-- 
Stefano