From: David Carlier <devnexen@gmail.com>
To: netdev@vger.kernel.org
Cc: David Carlier <devnexen@gmail.com>,
Claude <noreply@anthropic.com>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Simon Horman <horms@kernel.org>, Kees Cook <kees@kernel.org>,
Thomas Gleixner <tglx@kernel.org>,
Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>,
Ingo Molnar <mingo@kernel.org>,
linux-kernel@vger.kernel.org
Subject: [PATCH] net: garp: reload skb header pointers after pskb_may_pull()
Date: Thu, 4 Jun 2026 15:19:22 +0100 [thread overview]
Message-ID: <20260604141925.237746-1-devnexen@gmail.com> (raw)
garp_pdu_parse_attr() keeps a pointer into the skb linear area across
pskb_may_pull(skb, ga->len), and garp_pdu_parse_msg() dereferences gm
on every loop iteration even though the nested parse may pull again.
pskb_may_pull() can reallocate the skb head, which would leave those
pointers stale.
This is not reachable today: GARP PDUs arrive via the 802.2 LLC SAP
path, where llc_fixup_skb() already pulls and trims the whole payload
into the linear area, so the inner pulls never reallocate. Reload ga
after the pull and snapshot gm->attrtype into a local anyway, to harden
the parser and match the skb_header_pointer() discipline used by mrp.c.
No functional change.
Assisted-by: Claude <noreply@anthropic.com>
Signed-off-by: David Carlier <devnexen@gmail.com>
---
net/802/garp.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/802/garp.c b/net/802/garp.c
index c7a39f298ad6..56b934ec1aae 100644
--- a/net/802/garp.c
+++ b/net/802/garp.c
@@ -452,6 +452,7 @@ static int garp_pdu_parse_attr(struct garp_applicant *app, struct sk_buff *skb,
if (!pskb_may_pull(skb, ga->len))
return -1;
+ ga = (struct garp_attr_hdr *)skb->data;
skb_pull(skb, ga->len);
dlen = ga->len - sizeof(*ga);
@@ -492,6 +493,7 @@ static int garp_pdu_parse_attr(struct garp_applicant *app, struct sk_buff *skb,
static int garp_pdu_parse_msg(struct garp_applicant *app, struct sk_buff *skb)
{
const struct garp_msg_hdr *gm;
+ u8 attrtype;
if (!pskb_may_pull(skb, sizeof(*gm)))
return -1;
@@ -499,9 +501,10 @@ static int garp_pdu_parse_msg(struct garp_applicant *app, struct sk_buff *skb)
if (gm->attrtype == 0)
return -1;
skb_pull(skb, sizeof(*gm));
+ attrtype = gm->attrtype;
while (skb->len > 0) {
- if (garp_pdu_parse_attr(app, skb, gm->attrtype) < 0)
+ if (garp_pdu_parse_attr(app, skb, attrtype) < 0)
return -1;
if (garp_pdu_parse_end_mark(skb) < 0)
break;
--
2.53.0
reply other threads:[~2026-06-04 14:19 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260604141925.237746-1-devnexen@gmail.com \
--to=devnexen@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kees@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=noreply@anthropic.com \
--cc=pabeni@redhat.com \
--cc=tglx@kernel.org \
--cc=zhaoyz24@mails.tsinghua.edu.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox