Re: [PATCH v2] net: ppp: Add bound checking for skb d on ppp_sync_txmung

[Arnaud Lecomte]

Thanks Paolo for the feedback, I'll make sure to follow your 
recommendations next time.

Have a lovely day,

Arnaud

On 10/04/2025 11:30, Paolo Abeni wrote:
> On 4/8/25 5:55 PM, Arnaud Lecomte wrote:
> > Ensure we have enough data in linear buffer from skb before accessing
> > initial bytes. This prevents potential out-of-bounds accesses
> > when processing short packets.
> >
> > When ppp_sync_txmung receives an incoming package with an empty
> > payload:
> > (remote) gef➤  p *(struct pppoe_hdr *) (skb->head + skb->network_header)
> > $18 = {
> > 	type = 0x1,
> > 	ver = 0x1,
> > 	code = 0x0,
> > 	sid = 0x2,
> >          length = 0x0,
> > 	tag = 0xffff8880371cdb96
> > }
> >
> > from the skb struct (trimmed)
> >        tail = 0x16,
> >        end = 0x140,
> >        head = 0xffff88803346f400 "4",
> >        data = 0xffff88803346f416 ":\377",
> >        truesize = 0x380,
> >        len = 0x0,
> >        data_len = 0x0,
> >        mac_len = 0xe,
> >        hdr_len = 0x0,
> >
> > it is not safe to access data[2].
> >
> > Reported-by: syzbot+29fc8991b0ecb186cf40@xxxxxxxxxxxxxxxxxxxxxxxxx
> > Closes: https://syzkaller.appspot.com/bug?extid=29fc8991b0ecb186cf40
> > Tested-by: syzbot+29fc8991b0ecb186cf40@xxxxxxxxxxxxxxxxxxxxxxxxx
> > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> > Signed-off-by: Arnaud Lecomte <contact@xxxxxxxxxxxxxx>
> A couple of notes for future submission: you should have included the
> target tree in the subj prefix (in this case: "[PATCH net v2]..."), and
> there is a small typo in the subjected (skb d -> skb data). The patch
> looks good I'm applying it.
>
> Thanks,
>
> Paolo