[PATCH] ipv6: ndisc: fix potential out-of-bounds read in ndisc_router_discovery()

From: Rafal Bilkowski
Date: Mon Jun 02 2025 - 02:58:43 EST

Next message: Balamanikandan.Gunasundar: "Re: [PATCH v3 1/4] dt-bindings: mtd: microchip-nand: convert txt to yaml"
Previous message: Dan Carpenter: "net/netlabel/netlabel_kapi.c:1200 netlbl_conn_setattr() warn: inconsistent returns 'rcu_read'."
Next in thread: Kuniyuki Iwashima: "Re: [PATCH] ipv6: ndisc: fix potential out-of-bounds read in ndisc_router_discovery()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This patch adds a length check at the start of ndisc_router_discovery()
to prevent a potential out-of-bounds read if a short packet is received.
Without this check, the function may dereference memory outside the
buffer.

Fixes: 8610c7c6e3bd ("net: ipv6: add support for rpl sr exthdr")
Signed-off-by: Rafal Bilkowski <rafalbilkowski@xxxxxxxxx>
---
net/ipv6/ndisc.c | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
index 8d853971f2f6..bdaac5a195d6 100644
--- a/net/ipv6/ndisc.c
+++ b/net/ipv6/ndisc.c
@@ -1235,6 +1235,10 @@ static void ndisc_ra_useropt(struct sk_buff *ra, struct nd_opt_hdr *opt)

static enum skb_drop_reason ndisc_router_discovery(struct sk_buff *skb)
{
+ // Check if the buffer contains enough data for the struct ra_msg
+ if (!pskb_may_pull(skb, skb_transport_offset(skb) + sizeof(struct ra_msg)))
+ return SKB_DROP_REASON_PKT_TOO_SMALL;
+
struct ra_msg *ra_msg = (struct ra_msg *)skb_transport_header(skb);
bool send_ifinfo_notify = false;
struct neighbour *neigh = NULL;
--
2.43.0

Next message: Balamanikandan.Gunasundar: "Re: [PATCH v3 1/4] dt-bindings: mtd: microchip-nand: convert txt to yaml"
Previous message: Dan Carpenter: "net/netlabel/netlabel_kapi.c:1200 netlbl_conn_setattr() warn: inconsistent returns 'rcu_read'."
Next in thread: Kuniyuki Iwashima: "Re: [PATCH] ipv6: ndisc: fix potential out-of-bounds read in ndisc_router_discovery()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]