* [PATCH net] net: garp: fix unsigned integer underflow in garp_pdu_parse_attr
@ 2026-05-27 8:31 Yizhou Zhao
2026-06-02 16:17 ` Simon Horman
2026-06-02 19:20 ` patchwork-bot+netdevbpf
0 siblings, 2 replies; 3+ messages in thread
From: Yizhou Zhao @ 2026-05-27 8:31 UTC (permalink / raw)
To: netdev
Cc: Yizhou Zhao, David S . Miller, Eric Dumazet, Jakub Kicinski,
Paolo Abeni, linux-kernel, Yuxiang Yang, Ao Wang, Xuewei Feng,
Qi Li, Ke Xu
The receive-side GARP attribute parser computes dlen with reversed
operands:
dlen = sizeof(*ga) - ga->len;
ga->len is the on-wire attribute length and includes the GARP attribute
header. For normal attributes with data, ga->len is larger than
sizeof(*ga), so the subtraction underflows in unsigned arithmetic.
The resulting value is later passed to garp_attr_lookup(), whose length
argument is u8. After truncation, the parsed data length usually no
longer matches the length stored for locally registered attributes, so
received Join/Leave events are ignored. This breaks the GARP receive path
for common attributes, such as GVRP VLAN registration attributes.
Compute the data length as the attribute length minus the header length.
Fixes: eca9ebac651f ("net: Add GARP applicant-only participant")
Reported-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
Reported-by: Yuxiang Yang <yangyx22@mails.tsinghua.edu.cn>
Reported-by: Ao Wang <wangao@seu.edu.cn>
Reported-by: Xuewei Feng <fengxw06@126.com>
Reported-by: Qi Li <qli01@tsinghua.edu.cn>
Reported-by: Ke Xu <xuke@tsinghua.edu.cn>
Assisted-by: GLM:GLM-5.1
Signed-off-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
---
diff --git a/net/802/garp.c b/net/802/garp.c
index 6f563b6..c7a39f2 100644
--- a/net/802/garp.c
+++ b/net/802/garp.c
@@ -453,7 +453,7 @@ static int garp_pdu_parse_attr(struct garp_applicant *app, struct sk_buff *skb,
if (!pskb_may_pull(skb, ga->len))
return -1;
skb_pull(skb, ga->len);
- dlen = sizeof(*ga) - ga->len;
+ dlen = ga->len - sizeof(*ga);
if (attrtype > app->app->maxattr)
return 0;
--
2.43.0
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [PATCH net] net: garp: fix unsigned integer underflow in garp_pdu_parse_attr
2026-05-27 8:31 [PATCH net] net: garp: fix unsigned integer underflow in garp_pdu_parse_attr Yizhou Zhao
@ 2026-06-02 16:17 ` Simon Horman
2026-06-02 19:20 ` patchwork-bot+netdevbpf
1 sibling, 0 replies; 3+ messages in thread
From: Simon Horman @ 2026-06-02 16:17 UTC (permalink / raw)
To: Yizhou Zhao
Cc: netdev, David S . Miller, Eric Dumazet, Jakub Kicinski,
Paolo Abeni, linux-kernel, Yuxiang Yang, Ao Wang, Xuewei Feng,
Qi Li, Ke Xu
On Wed, May 27, 2026 at 04:31:58PM +0800, Yizhou Zhao wrote:
> The receive-side GARP attribute parser computes dlen with reversed
> operands:
>
> dlen = sizeof(*ga) - ga->len;
>
> ga->len is the on-wire attribute length and includes the GARP attribute
> header. For normal attributes with data, ga->len is larger than
> sizeof(*ga), so the subtraction underflows in unsigned arithmetic.
>
> The resulting value is later passed to garp_attr_lookup(), whose length
> argument is u8. After truncation, the parsed data length usually no
> longer matches the length stored for locally registered attributes, so
> received Join/Leave events are ignored. This breaks the GARP receive path
> for common attributes, such as GVRP VLAN registration attributes.
>
> Compute the data length as the attribute length minus the header length.
>
> Fixes: eca9ebac651f ("net: Add GARP applicant-only participant")
> Reported-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
> Reported-by: Yuxiang Yang <yangyx22@mails.tsinghua.edu.cn>
> Reported-by: Ao Wang <wangao@seu.edu.cn>
> Reported-by: Xuewei Feng <fengxw06@126.com>
> Reported-by: Qi Li <qli01@tsinghua.edu.cn>
> Reported-by: Ke Xu <xuke@tsinghua.edu.cn>
> Assisted-by: GLM:GLM-5.1
> Signed-off-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
Reviewed-by: Simon Horman <horms@kernel.org>
FTR, there is an AI generated review of this patch available on sashiko.dev.
I suggest that the issues raised there can be looked at in the context
of possible follow-up rather than something that blocks progress of this
patch.
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: [PATCH net] net: garp: fix unsigned integer underflow in garp_pdu_parse_attr
2026-05-27 8:31 [PATCH net] net: garp: fix unsigned integer underflow in garp_pdu_parse_attr Yizhou Zhao
2026-06-02 16:17 ` Simon Horman
@ 2026-06-02 19:20 ` patchwork-bot+netdevbpf
1 sibling, 0 replies; 3+ messages in thread
From: patchwork-bot+netdevbpf @ 2026-06-02 19:20 UTC (permalink / raw)
To: Yizhou Zhao
Cc: netdev, davem, edumazet, kuba, pabeni, linux-kernel, yangyx22,
wangao, fengxw06, qli01, xuke
Hello:
This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:
On Wed, 27 May 2026 16:31:58 +0800 you wrote:
> The receive-side GARP attribute parser computes dlen with reversed
> operands:
>
> dlen = sizeof(*ga) - ga->len;
>
> ga->len is the on-wire attribute length and includes the GARP attribute
> header. For normal attributes with data, ga->len is larger than
> sizeof(*ga), so the subtraction underflows in unsigned arithmetic.
>
> [...]
Here is the summary with links:
- [net] net: garp: fix unsigned integer underflow in garp_pdu_parse_attr
https://git.kernel.org/netdev/net/c/16e408e607a9
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-06-02 19:20 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-27 8:31 [PATCH net] net: garp: fix unsigned integer underflow in garp_pdu_parse_attr Yizhou Zhao
2026-06-02 16:17 ` Simon Horman
2026-06-02 19:20 ` patchwork-bot+netdevbpf
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox