From: Paolo Abeni <pabeni@redhat.com>
To: Mashiro Chen <mashiro.chen@mailbox.org>, netdev@vger.kernel.org
Cc: linux-hams@vger.kernel.org, kuba@kernel.org, horms@kernel.org,
davem@davemloft.net, edumazet@google.com
Subject: Re: [PATCH v4 net] net: ax25: fix integer overflow in ax25_rx_fragment()
Date: Tue, 21 Apr 2026 09:29:11 +0200 [thread overview]
Message-ID: <805a8583-6a84-4dfb-a4d4-53f80f50effc@redhat.com> (raw)
In-Reply-To: <20260413204921.70463-1-mashiro.chen@mailbox.org>
On 4/13/26 10:49 PM, Mashiro Chen wrote:
> ax25_rx_fragment() accumulates fragment lengths into ax25_cb->fraglen,
> which is an unsigned short. When the total exceeds 65535, fraglen wraps
> around to a small value. The subsequent alloc_skb(fraglen) allocates a
> too-small buffer, and skb_put() in the copy loop triggers skb_over_panic().
>
> Add pskb_may_pull(skb, 1) at function entry to ensure the segmentation
> header byte is in the linear data area before dereferencing skb->data.
> This also rejects zero-length skbs, which the original code did not
> check for.
>
> Two issues in the overflow error path are also fixed:
> First, the current skb, after skb_pull(skb, 1), is neither enqueued
> nor freed before returning 1, leaking it. Add kfree_skb(skb) before
> the return.
> Second, ax25->fraglen is not reset after skb_queue_purge(). Add
> ax25->fraglen = 0 to restore a consistent state.
>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Signed-off-by: Mashiro Chen <mashiro.chen@mailbox.org>
we are moving ax25 out of tree:
https://lore.kernel.org/netdev/20260421021824.1293976-1-kuba@kernel.org/
please hold off until Thursday (after that our net PR will land into
mainline), and eventually resend if the code still exists in Linus's
tree at that point.
Thanks,
Paolo
next prev parent reply other threads:[~2026-04-21 7:29 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-09 2:50 [PATCH v2 net] net: ax25: fix integer overflow in ax25_rx_fragment() Mashiro Chen
2026-04-12 20:17 ` Jakub Kicinski
2026-04-12 21:05 ` David Laight
2026-04-13 11:21 ` Mashiro Chen
2026-04-13 11:14 ` [PATCH v3 " Mashiro Chen
2026-04-13 20:49 ` [PATCH v4 " Mashiro Chen
2026-04-21 7:29 ` Paolo Abeni [this message]
2026-04-21 8:45 ` Hugh Blemings
2026-04-21 12:25 ` Andrew Lunn
2026-04-21 14:16 ` Jakub Kicinski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=805a8583-6a84-4dfb-a4d4-53f80f50effc@redhat.com \
--to=pabeni@redhat.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-hams@vger.kernel.org \
--cc=mashiro.chen@mailbox.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox