> Hi Lorenzo, > > Thanks for your patch, comments below. > > On Fri, Jun 05, 2026 at 06:47:48PM +0200, Lorenzo Bianconi wrote: > > Add sanity check for iph->ihl field in nf_flow_ip4_tunnel_proto routine. > > Moreover, similar to nf_flow_ip6_tunnel_proto(), rely on > > skb_header_pointer() to validate skb header layout. > > > > Fixes: ab427db178858 ("netfilter: flowtable: Add IPIP rx sw acceleration") > > Signed-off-by: Lorenzo Bianconi > > --- > > net/netfilter/nf_flow_table_ip.c | 14 ++++++++------ > > 1 file changed, 8 insertions(+), 6 deletions(-) > > > > diff --git a/net/netfilter/nf_flow_table_ip.c b/net/netfilter/nf_flow_table_ip.c > > index 9c05a50d6013..9684c19da37a 100644 > > --- a/net/netfilter/nf_flow_table_ip.c > > +++ b/net/netfilter/nf_flow_table_ip.c > > @@ -319,15 +319,17 @@ static unsigned int nf_flow_xmit_xfrm(struct sk_buff *skb, > > static bool nf_flow_ip4_tunnel_proto(struct nf_flowtable_ctx *ctx, > > struct sk_buff *skb) > > { > > - struct iphdr *iph; > > + struct iphdr *iph, _iph; > > u16 size; > > > > - if (!pskb_may_pull(skb, sizeof(*iph) + ctx->offset)) > > + iph = skb_header_pointer(skb, ctx->offset, sizeof(*iph), &_iph); > > I think we have to update nf_flow_ip6_tunnel_proto() to call > pskb_may_pull() instead, given that this calls skb_pull() later on to > pull the tunnel header and this ensures that the IP header this will > pull will be in a linear area. ack, I will fix it in v2. Regards, Lorenzo > > > + if (!iph) > > return false; > > > > - iph = (struct iphdr *)(skb_network_header(skb) + ctx->offset); > > - size = iph->ihl << 2; > > + if (iph->ihl < 5) > > + return false; > > > > + size = iph->ihl << 2; > > if (ip_is_fragment(iph) || unlikely(ip_has_options(size))) > > return false; > > > > @@ -335,9 +337,9 @@ static bool nf_flow_ip4_tunnel_proto(struct nf_flowtable_ctx *ctx, > > return false; > > > > if (iph->protocol == IPPROTO_IPIP) { > > - ctx->tun.proto = IPPROTO_IPIP; > > + ctx->tun.proto = iph->protocol; > > ctx->tun.hdr_size = size; > > - ctx->offset += size; > > + ctx->offset += ctx->tun.hdr_size; > > } > > > > return true; > > > > --- > > base-commit: 4aacf509e537a711fa71bca9f234e5eb6968850e > > change-id: 20260605-nf_flow_ip4_tunnel_proto-update-b31f7bff6fb9 > > > > Best regards, > > -- > > Lorenzo Bianconi > >