* [PATCH net] ipconfig: bound BOOTP options by UDP datagram length
@ 2026-07-13 14:11 Yizhou Zhao
2026-07-19 8:41 ` Ido Schimmel
0 siblings, 1 reply; 2+ messages in thread
From: Yizhou Zhao @ 2026-07-13 14:11 UTC (permalink / raw)
To: netdev
Cc: Yizhou Zhao, David Ahern, Ido Schimmel, David S. Miller,
Eric Dumazet, Jakub Kicinski, Paolo Abeni, Simon Horman,
linux-kernel, Yuxiang Yang, Ao Wang, Xuewei Feng, Qi Li, Ke Xu,
stable
ic_bootp_recv() accepts an IP packet whose total length exceeds its UDP
datagram length. This is valid at the IP layer, but DHCP/BOOTP options
belong to the UDP payload. The option parser nevertheless uses the IP
total length as its end boundary.
Consequently, an on-link attacker that can race a boot-time DHCP exchange
can put DHCP options after the declared UDP payload and have ipconfig
consume them. A QEMU/KVM reproduction with ip=dhcp accepted a forged
DHCPOFFER/DHCPACK with an IP total length of 290 and UDP length of 248;
the tail supplied a netmask and an off-link gateway, causing boot-time
network configuration to fail.
Use the UDP datagram end as the parser boundary. The receiver already
verifies that the UDP datagram lies within the IP packet, so this retains
normal valid DHCP/BOOTP parsing while excluding the IP-only tail.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Reported-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
Reported-by: Yuxiang Yang <yangyx22@mails.tsinghua.edu.cn>
Reported-by: Ao Wang <wangao@seu.edu.cn>
Reported-by: Xuewei Feng <fengxw06@126.com>
Reported-by: Qi Li <qli01@tsinghua.edu.cn>
Reported-by: Ke Xu <xuke@tsinghua.edu.cn>
Assisted-by: Claude-Code:GLM-5.2-special
Signed-off-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
---
diff --git a/net/ipv4/ipconfig.c b/net/ipv4/ipconfig.c
index a35ffedacc7c..192874623a24 100644
--- a/net/ipv4/ipconfig.c
+++ b/net/ipv4/ipconfig.c
@@ -1068,7 +1068,7 @@ static int __init ic_bootp_recv(struct sk_buff *skb, struct net_device *dev, str
/* Parse extensions */
if (ext_len >= 4 &&
!memcmp(b->exten, ic_bootp_cookie, 4)) { /* Check magic cookie */
- u8 *end = (u8 *) b + ntohs(b->iph.tot_len);
+ u8 *end = (u8 *)b + sizeof(struct iphdr) + ntohs(b->udph.len);
u8 *ext;
#ifdef IPCONFIG_DHCP
--
2.47.3
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH net] ipconfig: bound BOOTP options by UDP datagram length
2026-07-13 14:11 [PATCH net] ipconfig: bound BOOTP options by UDP datagram length Yizhou Zhao
@ 2026-07-19 8:41 ` Ido Schimmel
0 siblings, 0 replies; 2+ messages in thread
From: Ido Schimmel @ 2026-07-19 8:41 UTC (permalink / raw)
To: Yizhou Zhao
Cc: netdev, David Ahern, David S. Miller, Eric Dumazet,
Jakub Kicinski, Paolo Abeni, Simon Horman, linux-kernel,
Yuxiang Yang, Ao Wang, Xuewei Feng, Qi Li, Ke Xu, stable
On Mon, Jul 13, 2026 at 10:11:06PM +0800, Yizhou Zhao wrote:
> ic_bootp_recv() accepts an IP packet whose total length exceeds its UDP
> datagram length. This is valid at the IP layer, but DHCP/BOOTP options
> belong to the UDP payload. The option parser nevertheless uses the IP
> total length as its end boundary.
>
> Consequently, an on-link attacker that can race a boot-time DHCP exchange
> can put DHCP options after the declared UDP payload and have ipconfig
> consume them. A QEMU/KVM reproduction with ip=dhcp accepted a forged
> DHCPOFFER/DHCPACK with an IP total length of 290 and UDP length of 248;
> the tail supplied a netmask and an off-link gateway, causing boot-time
> network configuration to fail.
>
> Use the UDP datagram end as the parser boundary. The receiver already
> verifies that the UDP datagram lies within the IP packet, so this retains
> normal valid DHCP/BOOTP parsing while excluding the IP-only tail.
>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Cc: stable@vger.kernel.org
> Reported-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
> Reported-by: Yuxiang Yang <yangyx22@mails.tsinghua.edu.cn>
> Reported-by: Ao Wang <wangao@seu.edu.cn>
> Reported-by: Xuewei Feng <fengxw06@126.com>
> Reported-by: Qi Li <qli01@tsinghua.edu.cn>
> Reported-by: Ke Xu <xuke@tsinghua.edu.cn>
> Assisted-by: Claude-Code:GLM-5.2-special
> Signed-off-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
The code change looks correct, but why frame it as a security fix?
Can't an "on-link attacker" forge the UDP payload instead?
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-07-19 8:41 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-13 14:11 [PATCH net] ipconfig: bound BOOTP options by UDP datagram length Yizhou Zhao
2026-07-19 8:41 ` Ido Schimmel
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox