From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-qk1-f172.google.com (mail-qk1-f172.google.com [209.85.222.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3204B3AD530 for ; Tue, 12 May 2026 20:51:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.222.172 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778619086; cv=none; b=szm1tbpmFX+0qYj8yv6wOi07nSXdY0cSdWojawiSbEhonkd/K5Fd3gOWlDzx/NzQYLfSAE/hdX4wXvDKBpcWwP/V9C6oX+W6UXHgdQT+ixDC0rOzF8EdwaXp9WG/PGI/lmm9WRvDFI6o5hx6Lpv8V8CHD3pnuvVI702mITHFQDU= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778619086; c=relaxed/simple; bh=SrGWi/6wHIXpn0Jzv1Nk8znKQrM+sdOspj2f3aHSYS0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=tiElAuDJeTZk5txKWMby3dc2yvGMyFW7VvR7JdaN1HKpX5nXvYBPUOVOri/2BY3wE0fu23bx6GStl8nj200lOL29/KjAr8m1od8ax7ftnYxpKRx0Y/CUgxS2YvLDt67zLdG25bq3a1jTWnW/Ly+dDVLaO51VLZ6Co4yqhbiP4Ns= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=L4WGyJBq; arc=none smtp.client-ip=209.85.222.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="L4WGyJBq" Received: by mail-qk1-f172.google.com with SMTP id af79cd13be357-8d736211595so419482685a.0 for ; Tue, 12 May 2026 13:51:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778619081; x=1779223881; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Gga6YQiahEkWcYcvgOogf9AGzn6VBTkh6VyNbP8w6hs=; b=L4WGyJBqW98rGzfUq48UkQf+sLoqqFqTRI8lsOY9ffyHrujzBc46X+w82lmEugol6+ 6CiCMw5AaJAXJs5x7AJiCKQczN/xlvzsFlEZjKHUMQ3smEUIVzrnvgaWzTAdQHA9rv/i UkQ/neWqYsrRVUtMWtK4qIsix3oaH4DCdYEMlcD9g8Bqt7i8MN+iK26pwgWncfW0i5Cb RWWQQHdyYfU/da8eXynlyL1UFFjUqO5ezHQ83AN3RGnBlKXMC/r0IU9wWzE0fT5KzeN6 Ny06CFroIcEVNJhWVDcqv+QyQ13sSY1EOAApL4mXVfFcS45wNTi7cYVVrlcaOJyzpPoc n3PQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778619081; x=1779223881; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=Gga6YQiahEkWcYcvgOogf9AGzn6VBTkh6VyNbP8w6hs=; b=gMfqNyftsDrB5Er8q8XYewtitm5JzX6ebVwE2eDnJIwhwdACHRBJm6L4AV5ci3OyUK qJgX+oR9v1juTK6XK+wBrGpCISrhxTNJEt5wfZlx29X2qlJNXBZT3Qt5ptvy4RkwwUCa VpjU3A/wJ2mXoF7hahSYexV8G36c9RPA5zxCjzHR/Gfnl/OgK0Y1oZ/u+9qO4YOGQ9b6 sLoLYxMiV4lnjx2JJm06PkQ+56yydZfuKm3pL+lYu/lh5e05py0Bhb63sEUMqwyi5jYC RmOXCuAdhBxTemDKDqc15AY695eLUZjhvbfZCfssWzoIPmLgXnuorcSYk9HxaqeO7yxK GB5A== X-Forwarded-Encrypted: i=1; AFNElJ9OH56NBk5daRUFVXBJv97HemEQ23NMvClSr3Hlt0xFSMUIowTXbv9IRvNnQ29KiIbe4lrooIQ=@vger.kernel.org X-Gm-Message-State: AOJu0YyKUn5l8z8TCTxprU9NI8lgFUMjQXUCsGeWzq7JMEgGwNuIQq64 YgLgpG1cC6dCCGD9IwyY4ymnqiyT2RyJ8qArSgK8RHlP2pfGO7leTHM/ X-Gm-Gg: Acq92OG2l6+3RwUJRWq2pwnHAVG5jQFMPF2q6axluyLzwWzDE0a7zf2ZOCikC/6FCyw 9Q6Hcw+cvvW9V0tE2sf4F8HDoG6TDbW2CzMkMrM56+cRXe/93j1zbX5W66bry2mGak9umWiAP1E QaUZEwT28oY5EE2IlehcLvQDvq0d6T7YDWe7aiE4lFde8C1hVZ/AozGcX+q21rQUrevRtzsJUYC +t1WYuH5K4pSkE65kOy1yX8eDTbwQzg0P90mcc2ta8imm8Xq6pd6PtGHNRyMb+5ut3duCIsVzv+ MyMOiHg3VzLWAzeMeQsRa6W9ZKSwWTjWGZNqysiC4z8lI6dk8YAOTuQBjJaFDjeMzWqZNmn3iFp t5a793oFdhYkmVdwea4ZT9Mj0uUsIXYSZQq9oOeOWHlGq+JTBeHYDxEMTzHYpY+aRGGCqiYAz66 /Gvva4AYHkGlVzrOM/vyKhT+rVtgto07nwQnDCT5dreECva5ZbbkBttcpL+6OSG0/GP1PW5w0RO POgQ23bghu7BT/8sT0cw4fhKF6t2ygf6JPhW5aD9jlV0cxOG3aJPA== X-Received: by 2002:a05:620a:d8e:b0:90b:263:f6b with SMTP id af79cd13be357-90fabcf968amr11126885a.21.1778619080781; Tue, 12 May 2026 13:51:20 -0700 (PDT) Received: from server0.tail6e7dd.ts.net (c-68-48-65-54.hsd1.mi.comcast.net. [68.48.65.54]) by smtp.gmail.com with ESMTPSA id af79cd13be357-907b8d9eed0sm1490734285a.19.2026.05.12.13.51.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 May 2026 13:51:20 -0700 (PDT) From: Michael Bommarito To: Steffen Klassert , Herbert Xu , Eric Dumazet , netdev@vger.kernel.org Cc: "David S . Miller" , Jakub Kicinski , Paolo Abeni , Kuniyuki Iwashima , Maciej Zenczykowski , Kees Cook , Jeff Layton , "Gustavo A . R . Silva" , Pablo Neira Ayuso , Florian Westphal , netfilter-devel@vger.kernel.org, coreteam@netfilter.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH net 1/2] ipv4: raw: reject IP_HDRINCL packets with ihl < 5 Date: Tue, 12 May 2026 16:51:14 -0400 Message-ID: <77ec2b5e8111961c2c39883c92e8aa2709039c17.1778614451.git.michael.bommarito@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit raw_send_hdrinc() validates that the caller-supplied IPv4 header fits within the message length: iphlen = iph->ihl * 4; err = -EINVAL; if (iphlen > length) goto error_free; if (iphlen >= sizeof(*iph)) { /* fix up saddr, tot_len, id, csum, transport_header */ } It does not, however, reject ihl < 5. For such a packet the "if (iphlen >= sizeof(*iph))" branch is skipped, leaving the crafted iphdr untouched, but the packet is still handed to __ip_local_out() and onward. Downstream consumers that read iph->ihl assume a sane value: net/ipv4/ah4.c:ah_output() in particular subtracts sizeof(struct iphdr) from top_iph->ihl * 4 and passes the (signed-int-negative, then cast to size_t) result to memcpy(), producing an OOB access of length close to SIZE_MAX and a host kernel panic. An IPv4 header with ihl < 5 is malformed by definition (RFC 791: "Internet Header Length is the length of the internet header in 32 bit words ... Note that the minimum value for a correct header is 5."). The kernel should not be willing to inject such a packet into its own output path. Reject "iphlen < sizeof(*iph)" alongside the existing "iphlen > length" check. This matches the principle that locally constructed packets that re-enter the IP stack must pass the same basic sanity tests that a foreign packet would be subjected to. Once this lands, the "if (iphlen >= sizeof(*iph))" wrapper around the fixup branch becomes redundant; left in place to keep the patch minimal and backport-friendly. A follow-up can unwrap it. Note that commit 86f4c90a1c5c ("ipv4, ipv6: ensure raw socket message is big enough to hold an IP header") ensures the message buffer is large enough to hold an iphdr, but does not constrain the self-reported iph->ihl. Reachability: the malformed packet source is any caller with CAP_NET_RAW, including an unprivileged process in a user+net namespace on a kernel with CONFIG_USER_NS=y. The reproduced AH crash also requires a matching xfrm AH policy on the outgoing route; a container granted CAP_NET_ADMIN can install that state and policy in its netns. Loopback bypasses xfrm_output, so the trigger uses a real netdev. Reproduced on UML + KASAN: kernel-mode fault at addr 0x0 with memcpy_orig at the crash site. Same shape reproduces inside a rootless Docker container with --cap-add NET_ADMIN on a stock distro kernel. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org Suggested-by: Herbert Xu Assisted-by: Claude:claude-opus-4-7 Signed-off-by: Michael Bommarito --- net/ipv4/raw.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c index 5aaf9c62c8e1..68e88cb3e55c 100644 --- a/net/ipv4/raw.c +++ b/net/ipv4/raw.c @@ -391,7 +391,7 @@ static int raw_send_hdrinc(struct sock *sk, struct flowi4 *fl4, * in, reject the frame as invalid */ err = -EINVAL; - if (iphlen > length) + if (iphlen > length || iphlen < sizeof(*iph)) goto error_free; if (iphlen >= sizeof(*iph)) { -- 2.53.0