From: Florian Westphal <fw@strlen.de>
To: Ren Wei <n05ec@lzu.edu.cn>
Cc: security@kernel.org, netfilter-devel@vger.kernel.org,
pablo@netfilter.org, phil@nwl.cc, davem@davemloft.net,
dsahern@kernel.org, edumazet@google.com, kuba@kernel.org,
pabeni@redhat.com, horms@kernel.org, yifanwucs@gmail.com,
tomapufckgml@gmail.com, yuantan098@gmail.com, bird@lzu.edu.cn,
enjou1224z@gmail.com, zcliangcn@gmail.com
Subject: Re: [PATCH 1/1] netfilter: ip6t_eui64: validate MAC header before using it
Date: Tue, 31 Mar 2026 11:26:19 +0200 [thread overview]
Message-ID: <acuTO7bnCukKSpme@strlen.de> (raw)
In-Reply-To: <5267bb5b37997fa793c28c4b928a828cfb3a3927.1774859629.git.zcliangcn@gmail.com>
Ren Wei <n05ec@lzu.edu.cn> wrote:
> From: Zhengchuan Liang <zcliangcn@gmail.com>
>
> `eui64_mt6()` derives a modified EUI-64 from the Ethernet source
> address and compares it with the low 64 bits of the IPv6 source
> address.
>
> The match unconditionally reaches `skb_mac_header()` and `eth_hdr(skb)`
> after a guard that only rejects an invalid MAC header when
> `par->fragoff != 0`. As a result, non-fragment packets can still reach
> `eth_hdr(skb)` even when the skb has no MAC header set, or when the MAC
> header does not cover a full Ethernet header.
>
> Fix this by first checking that the MAC header is set and spans a full
> Ethernet header before accessing it, then using that validated header
> directly for the EUI-64 comparison. Preserve the existing hotdrop
> behavior for non-first fragments with an invalid MAC header.
I find this rather confusing. E.g. why is net/netfilter/xt_mac.c safe?
I get the feeling that this patch is not sufficient?
> + if (!skb_mac_header_was_set(skb)) {
Makes sense to me.
> + mac = skb_mac_header(skb);
> + if (mac < skb->head || mac + ETH_HLEN > skb->data) {
> + if (par->fragoff != 0)
> + par->hotdrop = true;
> + return false;
Why do we still need this stunt? Why not:
mac_len = skb_mac_header_len(skb);
if (mac_len < ETH_HLEN) {
par->hotdrop = true;
return false;
}
?
I also feel there should be a check for ethernet, i.e.
if (skb->dev == NULL || skb->dev->type != ARPHRD_ETHER)
... like in xt_mac.c.
next prev parent reply other threads:[~2026-03-31 9:26 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <cover.1774859629.git.zcliangcn@gmail.com>
2026-03-31 7:34 ` [PATCH 1/1] netfilter: ip6t_eui64: validate MAC header before using it Ren Wei
2026-03-31 9:26 ` Florian Westphal [this message]
2026-03-31 11:16 ` Florian Westphal
2026-04-01 19:14 ` Florian Westphal
2026-04-01 20:18 ` Yuan Tan
2026-04-04 9:39 ` [PATCH nf v2 1/2] netfilter: ip6t_eui64: reject invalid MAC header for all packets Ren Wei
2026-04-04 9:39 ` [PATCH nf v2 2/2] netfilter: require Ethernet MAC header before using eth_hdr() Ren Wei
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=acuTO7bnCukKSpme@strlen.de \
--to=fw@strlen.de \
--cc=bird@lzu.edu.cn \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=enjou1224z@gmail.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=n05ec@lzu.edu.cn \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pablo@netfilter.org \
--cc=phil@nwl.cc \
--cc=security@kernel.org \
--cc=tomapufckgml@gmail.com \
--cc=yifanwucs@gmail.com \
--cc=yuantan098@gmail.com \
--cc=zcliangcn@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox