Commit 5e67ba9b authored Mar 25, 2026 by Pengpeng Hou Committed by David S. Miller Mar 27, 2026

net/ipv6: ioam6: prevent schema length wraparound in trace fill



ioam6_fill_trace_data() stores the schema contribution to the trace
length in a u8. With bit 22 enabled and the largest schema payload,
sclen becomes 1 + 1020 / 4, wraps from 256 to 0, and bypasses the
remaining-space check. __ioam6_fill_trace_data() then positions the
write cursor without reserving the schema area but still copies the
4-byte schema header and the full schema payload, overrunning the trace
buffer.

Keep sclen in an unsigned int so the remaining-space check and the write
cursor calculation both see the full schema length.

Fixes: 8c6f6fa6 ("ipv6: ioam: IOAM Generic Netlink API")
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
Reviewed-by: Justin Iurman <justin.iurman@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent ae05340c

net/ipv6/ioam6.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -708,7 +708,7 @@ static void __ioam6_fill_trace_data(struct sk_buff *skb,
		struct ioam6_namespace *ns,
		struct ioam6_trace_hdr *trace,
		struct ioam6_schema *sc,
		u8 sclen, bool is_input)
		unsigned int sclen, bool is_input)
		{
		struct net_device *dev = skb_dst_dev(skb);
		struct timespec64 ts;
		@@ -939,7 +939,7 @@ void ioam6_fill_trace_data(struct sk_buff *skb,
		bool is_input)
		{
		struct ioam6_schema *sc;
		u8 sclen = 0;
		unsigned int sclen = 0;

		/* Skip if Overflow flag is set
		*/