diff options
| author | Roshan Kumar <roshaen09@gmail.com> | 2026-03-01 10:56:38 +0000 |
|---|---|---|
| committer | Steffen Klassert <steffen.klassert@secunet.com> | 2026-03-02 08:53:00 +0100 |
| commit | 0d10393d5eac33cbd92f7a41fddca12c41d3cb7e (patch) | |
| tree | 13af98896eda5289c4c43825ad5147e52928a63b /tools/perf/scripts/python/bin/stackcollapse-report | |
| parent | 0c0eef8ccd2413b0a10eb6bbd3442333b1e64dd2 (diff) | |
xfrm: iptfs: validate inner IPv4 header length in IPTFS payload
Add validation of the inner IPv4 packet tot_len and ihl fields parsed
from decrypted IPTFS payloads in __input_process_payload(). A crafted
ESP packet containing an inner IPv4 header with tot_len=0 causes an
infinite loop: iplen=0 leads to capturelen=min(0, remaining)=0, so the
data offset never advances and the while(data < tail) loop never
terminates, spinning forever in softirq context.
Reject inner IPv4 packets where tot_len < ihl*4 or ihl*4 < sizeof(struct
iphdr), which catches both the tot_len=0 case and malformed ihl values.
The normal IP stack performs this validation in ip_rcv_core(), but IPTFS
extracts and processes inner packets before they reach that layer.
Reported-by: Roshan Kumar <roshaen09@gmail.com>
Fixes: 6c82d2433671 ("xfrm: iptfs: add basic receive packet (tunnel egress) handling")
Cc: stable@vger.kernel.org
Signed-off-by: Roshan Kumar <roshaen09@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Diffstat (limited to 'tools/perf/scripts/python/bin/stackcollapse-report')
0 files changed, 0 insertions, 0 deletions