From: Florian Westphal <fw@strlen.de>
To: Ren Wei <n05ec@lzu.edu.cn>
Cc: netfilter-devel@vger.kernel.org, pablo@netfilter.org,
phil@nwl.cc, yifanwucs@gmail.com, tomapufckgml@gmail.com,
yuantan098@gmail.com, bird@lzu.edu.cn, enjou1224z@gmail.com,
zcliangcn@gmail.com
Subject: Re: [PATCH 1/1] netfilter: ip6t_eui64: validate MAC header before using it
Date: Wed, 1 Apr 2026 21:14:57 +0200 [thread overview]
Message-ID: <ac1uqcDxsmmQ-oxH@strlen.de> (raw)
In-Reply-To: <acus9gpd-oKl_6dg@strlen.de>
[ Trimming Cc list ]
Florian Westphal <fw@strlen.de> wrote:
> Florian Westphal <fw@strlen.de> wrote:
> > Ren Wei <n05ec@lzu.edu.cn> wrote:
> > > From: Zhengchuan Liang <zcliangcn@gmail.com>
> > >
> > > `eui64_mt6()` derives a modified EUI-64 from the Ethernet source
> > > address and compares it with the low 64 bits of the IPv6 source
> > > address.
> > >
> > > The match unconditionally reaches `skb_mac_header()` and `eth_hdr(skb)`
> > > after a guard that only rejects an invalid MAC header when
> > > `par->fragoff != 0`. As a result, non-fragment packets can still reach
> > > `eth_hdr(skb)` even when the skb has no MAC header set, or when the MAC
> > > header does not cover a full Ethernet header.
> > >
> > > Fix this by first checking that the MAC header is set and spans a full
> > > Ethernet header before accessing it, then using that validated header
> > > directly for the EUI-64 comparison. Preserve the existing hotdrop
> > > behavior for non-first fragments with an invalid MAC header.
> >
> > I find this rather confusing. E.g. why is net/netfilter/xt_mac.c safe?
> > I get the feeling that this patch is not sufficient?
> >
> > > + if (!skb_mac_header_was_set(skb)) {
> >
> > Makes sense to me.
> >
> > > + mac = skb_mac_header(skb);
> > > + if (mac < skb->head || mac + ETH_HLEN > skb->data) {
> > > + if (par->fragoff != 0)
> > > + par->hotdrop = true;
> > > + return false;
> >
> > Why do we still need this stunt? Why not:
> >
> > mac_len = skb_mac_header_len(skb);
> > if (mac_len < ETH_HLEN) {
> > par->hotdrop = true;
> > return false;
> > }
> >
> > ?
> >
> > I also feel there should be a check for ethernet, i.e.
> > if (skb->dev == NULL || skb->dev->type != ARPHRD_ETHER)
> >
> > ... like in xt_mac.c.
>
> There are other suspicious spots, e.g. in nf_log_syslog.c and in ipset.
>
> Will you make a patch to cover all of these?
Ping. Will you followup or do you expect us to take over?
next prev parent reply other threads:[~2026-04-01 19:15 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <cover.1774859629.git.zcliangcn@gmail.com>
2026-03-31 7:34 ` [PATCH 1/1] netfilter: ip6t_eui64: validate MAC header before using it Ren Wei
2026-03-31 9:26 ` Florian Westphal
2026-03-31 11:16 ` Florian Westphal
2026-04-01 19:14 ` Florian Westphal [this message]
2026-04-01 20:18 ` Yuan Tan
2026-04-04 9:39 ` [PATCH nf v2 1/2] netfilter: ip6t_eui64: reject invalid MAC header for all packets Ren Wei
2026-04-04 9:39 ` [PATCH nf v2 2/2] netfilter: require Ethernet MAC header before using eth_hdr() Ren Wei
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ac1uqcDxsmmQ-oxH@strlen.de \
--to=fw@strlen.de \
--cc=bird@lzu.edu.cn \
--cc=enjou1224z@gmail.com \
--cc=n05ec@lzu.edu.cn \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=phil@nwl.cc \
--cc=tomapufckgml@gmail.com \
--cc=yifanwucs@gmail.com \
--cc=yuantan098@gmail.com \
--cc=zcliangcn@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox