From: Herbert Xu <herbert@gondor.apana.org.au>
To: Michael Bommarito <michael.bommarito@gmail.com>
Cc: Steffen Klassert <steffen.klassert@secunet.com>,
Eric Dumazet <edumazet@google.com>,
netdev@vger.kernel.org, "David S . Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Kuniyuki Iwashima <kuniyu@google.com>,
Maciej Zenczykowski <maze@google.com>,
Kees Cook <kees@kernel.org>, Jeff Layton <jlayton@kernel.org>,
"Gustavo A . R . Silva" <gustavoars@kernel.org>,
Pablo Neira Ayuso <pablo@netfilter.org>,
Florian Westphal <fw@strlen.de>,
netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
linux-kernel@vger.kernel.org, stable@vger.kernel.org
Subject: Re: [PATCH net 2/2] ipv4: ah: harden ah_output options-copy guard against ihl < 5
Date: Fri, 15 May 2026 12:20:06 +0800 [thread overview]
Message-ID: <agae9ph6pzaQJv3E@gondor.apana.org.au> (raw)
In-Reply-To: <423b9ce3b45782c09a2fd9c65ad6674a9abb7c72.1778614451.git.michael.bommarito@gmail.com>
On Tue, May 12, 2026 at 04:51:15PM -0400, Michael Bommarito wrote:
>
> diff --git a/net/ipv4/ah4.c b/net/ipv4/ah4.c
> index 4366cbac3f06..8fa31bdf9792 100644
> --- a/net/ipv4/ah4.c
> +++ b/net/ipv4/ah4.c
> @@ -137,7 +137,7 @@ static void ah_output_done(void *data, int err)
> top_iph->tos = iph->tos;
> top_iph->ttl = iph->ttl;
> top_iph->frag_off = iph->frag_off;
> - if (top_iph->ihl != 5) {
> + if (top_iph->ihl > 5) {
As I have said before, if ihl is less than 5, then it's invalid to
access any fields from the IP header (in fact you can't even access
ihl itself if it's that short).
So if these packets are getting this far into our stack, then things
are very wrong indeed.
Now I understand that this is already happening so we have to accept
it. But we should try to fix each and one of these issues as other
places in our IP stack can very much break if you bombard them with
these bogus packets.
To further that end, I suggest that you add a WARN_ON_ONCE for the
case (top_iph->ihl < 5) and put that at the very start of the AH
input function so that i can bail out straight away.
Thanks,
--
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
prev parent reply other threads:[~2026-05-15 4:20 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <cover.1778614451.git.michael.bommarito@gmail.com>
2026-05-12 20:51 ` [PATCH net 1/2] ipv4: raw: reject IP_HDRINCL packets with ihl < 5 Michael Bommarito
2026-05-12 20:51 ` [PATCH net 2/2] ipv4: ah: harden ah_output options-copy guard against " Michael Bommarito
2026-05-15 4:20 ` Herbert Xu [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=agae9ph6pzaQJv3E@gondor.apana.org.au \
--to=herbert@gondor.apana.org.au \
--cc=coreteam@netfilter.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=fw@strlen.de \
--cc=gustavoars@kernel.org \
--cc=jlayton@kernel.org \
--cc=kees@kernel.org \
--cc=kuba@kernel.org \
--cc=kuniyu@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=maze@google.com \
--cc=michael.bommarito@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pablo@netfilter.org \
--cc=stable@vger.kernel.org \
--cc=steffen.klassert@secunet.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox