Netdev List
 help / color / mirror / Atom feed
* [PATCH net] vlan: prevent unsigned underflow in VLAN MTU calculation over MACsec
@ 2026-05-29  6:21 Yizhou Zhao
  2026-06-02  2:05 ` Jakub Kicinski
  0 siblings, 1 reply; 2+ messages in thread
From: Yizhou Zhao @ 2026-05-29  6:21 UTC (permalink / raw)
  To: netdev
  Cc: Yizhou Zhao, David S . Miller, Eric Dumazet, Jakub Kicinski,
	Paolo Abeni, Simon Horman, Kees Cook, linux-kernel, Yuxiang Yang,
	Ao Wang, Xuewei Feng, Qi Li, Ke Xu

When a VLAN device is created on top of a MACsec device (where
`netif_reduces_vlan_mtu()` returns true) and the underlying device's MTU
is smaller than `VLAN_HLEN` (4 bytes), subtracting `VLAN_HLEN` from the
device MTU can underflow an unsigned integer. This wraps `max_mtu` to a
value near `UINT_MAX`, bypassing MTU checks and allowing an invalidly
large MTU on the VLAN device.

The same underflow exists in `vlan_newlink()` where the ternary
expression `real_dev->mtu - VLAN_HLEN` can wrap if the real device's MTU
is smaller than `VLAN_HLEN`.

Fix both locations by first verifying that `real_dev->mtu >= VLAN_HLEN`
before performing the subtraction. If the underlying device's MTU is too
small, return an appropriate error:

- `vlan_dev_change_mtu()`: return `-ERANGE`
- `vlan_newlink()`: return `-EINVAL`

This ensures no invalid MTU values are set on VLAN devices when the
underlying MACsec device is too small.

Fixes: 18d3df3eab23 ("vlan: use a valid default mtu value for vlan over macsec")
Reported-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
Reported-by: Yuxiang Yang <yangyx22@mails.tsinghua.edu.cn>
Reported-by: Ao Wang <wangao@seu.edu.cn>
Reported-by: Xuewei Feng <fengxw06@126.com>
Reported-by: Qi Li <qli01@tsinghua.edu.cn>
Reported-by: Ke Xu <xuke@tsinghua.edu.cn>
Assisted-by: GLM:GLM-5.1
---
diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c
index c40f7d5..19c838c 100644
--- a/net/8021q/vlan_dev.c
+++ b/net/8021q/vlan_dev.c
@@ -145,8 +145,11 @@ static int vlan_dev_change_mtu(struct net_device *dev, int new_mtu)
 	struct net_device *real_dev = vlan_dev_priv(dev)->real_dev;
 	unsigned int max_mtu = real_dev->mtu;
 
-	if (netif_reduces_vlan_mtu(real_dev))
+	if (netif_reduces_vlan_mtu(real_dev)) {
+		if (max_mtu < VLAN_HLEN)
+			return -ERANGE;
+		max_mtu -= VLAN_HLEN;
+	}
 	if (max_mtu < new_mtu)
 		return -ERANGE;
 
diff --git a/net/8021q/vlan_netlink.c b/net/8021q/vlan_netlink.c
index a000b1e..52a47d2 100644
--- a/net/8021q/vlan_netlink.c
+++ b/net/8021q/vlan_netlink.c
@@ -178,8 +178,13 @@ static int vlan_newlink(struct net_device *dev,
 	if (err < 0)
 		return err;
 
-	max_mtu = netif_reduces_vlan_mtu(real_dev) ? real_dev->mtu - VLAN_HLEN :
-						     real_dev->mtu;
+	if (netif_reduces_vlan_mtu(real_dev)) {
+		if (real_dev->mtu < VLAN_HLEN)
+			return -EINVAL;
+		max_mtu = real_dev->mtu - VLAN_HLEN;
+	} else {
+		max_mtu = real_dev->mtu;
+	}
 	if (!tb[IFLA_MTU])
 		dev->mtu = max_mtu;
 	else if (dev->mtu > max_mtu)
 		dev->mtu = max_mtu;


^ permalink raw reply related	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-06-02  2:05 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-29  6:21 [PATCH net] vlan: prevent unsigned underflow in VLAN MTU calculation over MACsec Yizhou Zhao
2026-06-02  2:05 ` Jakub Kicinski

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox