Commit a01aee7c authored by Yang Yang's avatar Yang Yang Committed by Jakub Kicinski
Browse files

bridge: br_nd_send: linearize skb before parsing ND options 



br_nd_send() parses neighbour discovery options from ns->opt[] and
assumes that these options are in the linear part of request.

Its callers only guarantee that the ICMPv6 header and target address
are available, so the option area can still be non-linear. Parsing
ns->opt[] in that case can access data past the linear buffer.

Linearize request before option parsing and derive ns from the linear
network header.

Fixes: ed842fae ("bridge: suppress nd pkts on BR_NEIGH_SUPPRESS ports")
Reported-by: default avatarYifan Wu <yifanwucs@gmail.com>
Reported-by: default avatarJuefei Pu <tomapufckgml@gmail.com>
Tested-by: default avatarAo Zhou <n05ec@lzu.edu.cn>
Co-developed-by: default avatarYuan Tan <tanyuan98@outlook.com>
Signed-off-by: default avatarYuan Tan <tanyuan98@outlook.com>
Suggested-by: default avatarXin Liu <bird@lzu.edu.cn>
Signed-off-by: default avatarYang Yang <n05ec@lzu.edu.cn>
Reviewed-by: default avatarIdo Schimmel <idosch@nvidia.com>
Acked-by: default avatarNikolay Aleksandrov <razor@blackwall.org>
Link: https://patch.msgid.link/20260326034441.2037420-2-n05ec@lzu.edu.cn


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parent c11c731a

net/bridge/br_arp_nd_proxy.c

+7 −5
Original line number Diff line number Diff line
@@ -251,12 +251,12 @@ struct nd_msg *br_is_nd_neigh_msg(const struct sk_buff *skb, struct nd_msg *msg) 


static void br_nd_send(struct net_bridge *br, struct net_bridge_port *p,

		       struct sk_buff *request, struct neighbour *n,

		       __be16 vlan_proto, u16 vlan_tci, struct nd_msg *ns)

		       __be16 vlan_proto, u16 vlan_tci)

{

	struct net_device *dev = request->dev;

	struct net_bridge_vlan_group *vg;

	struct nd_msg *na, *ns;

	struct sk_buff *reply;

	struct nd_msg *na;

	struct ipv6hdr *pip6;

	int na_olen = 8; /* opt hdr + ETH_ALEN for target */

	int ns_olen;
@@ -264,7 +264,7 @@ static void br_nd_send(struct net_bridge *br, struct net_bridge_port *p, 
	u8 *daddr;

	u16 pvid;



	if (!dev)

	if (!dev || skb_linearize(request))

		return;



	len = LL_RESERVED_SPACE(dev) + sizeof(struct ipv6hdr) +
@@ -281,6 +281,8 @@ static void br_nd_send(struct net_bridge *br, struct net_bridge_port *p, 
	skb_set_mac_header(reply, 0);



	daddr = eth_hdr(request)->h_source;

	ns = (struct nd_msg *)(skb_network_header(request) +

			       sizeof(struct ipv6hdr));



	/* Do we need option processing ? */

	ns_olen = request->len - (skb_network_offset(request) +
@@ -472,9 +474,9 @@ void br_do_suppress_nd(struct sk_buff *skb, struct net_bridge *br, 
				if (vid != 0)

					br_nd_send(br, p, skb, n,

						   skb->vlan_proto,

						   skb_vlan_tag_get(skb), msg);

						   skb_vlan_tag_get(skb));

				else

					br_nd_send(br, p, skb, n, 0, 0, msg);

					br_nd_send(br, p, skb, n, 0, 0);

				replied = true;

			}