will be in the maintainance mode on Wednesday June 29th 01:00 - 10:00 (UTC+1). Repositories is read only during the maintainance.

  • Willem de Bruijn's avatar
    ip: validate header length on virtual device xmit · cb9f1b78
    Willem de Bruijn authored
    KMSAN detected read beyond end of buffer in vti and sit devices when
    passing truncated packets with PF_PACKET. The issue affects additional
    ip tunnel devices.
    Extend commit 76c0ddd8 ("ip6_tunnel: be careful when accessing the
    inner header") and commit ccfec9e5
     ("ip_tunnel: be careful when
    accessing the inner header").
    Move the check to a separate helper and call at the start of each
    ndo_start_xmit function in net/ipv4 and net/ipv6.
    Minor changes:
    - convert dev_kfree_skb to kfree_skb on error path,
      as dev_kfree_skb calls consume_skb which is not for error paths.
    - use pskb_network_may_pull even though that is pedantic here,
      as the same as pskb_may_pull for devices without llheaders.
    - do not cache ipv6 hdrs if used only once
      (unsafe across pskb_may_pull, was more relevant to earlier patch)
    Reported-by: default avatarsyzbot <>
    Signed-off-by: default avatarWillem de Bruijn <>
    Signed-off-by: default avatarDavid S. Miller <>
ip6mr.c 58.2 KB