Re: [PATCH net 2/2] ipv4: ah: harden ah_output options-copy guard against ihl < 5

[Herbert Xu <herbert@gondor.apana.org.au>]

On Tue, May 12, 2026 at 04:51:15PM -0400, Michael Bommarito wrote:
> 
> diff --git a/net/ipv4/ah4.c b/net/ipv4/ah4.c
> index 4366cbac3f06..8fa31bdf9792 100644
> --- a/net/ipv4/ah4.c
> +++ b/net/ipv4/ah4.c
> @@ -137,7 +137,7 @@ static void ah_output_done(void *data, int err)
>  	top_iph->tos = iph->tos;
>  	top_iph->ttl = iph->ttl;
>  	top_iph->frag_off = iph->frag_off;
> -	if (top_iph->ihl != 5) {
> +	if (top_iph->ihl > 5) {

As I have said before, if ihl is less than 5, then it's invalid to
access any fields from the IP header (in fact you can't even access
ihl itself if it's that short).

So if these packets are getting this far into our stack, then things
are very wrong indeed.

Now I understand that this is already happening so we have to accept
it.  But we should try to fix each and one of these issues as other
places in our IP stack can very much break if you bombard them with
these bogus packets.

To further that end, I suggest that you add a WARN_ON_ONCE for the
case (top_iph->ihl < 5) and put that at the very start of the AH
input function so that i can bail out straight away.

Thanks,
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt