Commit afa9a05e authored Mar 26, 2026 by Yang Yang Committed by Jakub Kicinski Mar 27, 2026

vxlan: validate ND option lengths in vxlan_na_create



vxlan_na_create() walks ND options according to option-provided
lengths. A malformed option can make the parser advance beyond the
computed option span or use a too-short source LLADDR option payload.

Validate option lengths against the remaining NS option area before
advancing, and only read source LLADDR when the option is large enough
for an Ethernet address.

Fixes: 4b29dba9 ("vxlan: fix nonfunctional neigh_reduce()")
Cc: stable@vger.kernel.org
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Tested-by: Ao Zhou <n05ec@lzu.edu.cn>
Co-developed-by: Yuan Tan <tanyuan98@outlook.com>
Signed-off-by: Yuan Tan <tanyuan98@outlook.com>
Suggested-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Yang Yang <n05ec@lzu.edu.cn>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
Link: https://patch.msgid.link/20260326034441.2037420-4-n05ec@lzu.edu.cn


Signed-off-by: Jakub Kicinski <kuba@kernel.org>

parent 85083796

drivers/net/vxlan/vxlan_core.c

+4 −2

Original line number	Diff line number	Diff line
		@@ -1965,11 +1965,13 @@ static struct sk_buff vxlan_na_create(struct sk_buff request,
		ns_olen = request->len - skb_network_offset(request) -
		sizeof(struct ipv6hdr) - sizeof(*ns);
		for (i = 0; i < ns_olen-1; i += (ns->opt[i+1]<<3)) {
		if (!ns->opt[i + 1]) {
		if (!ns->opt[i + 1] \|\| i + (ns->opt[i + 1] << 3) > ns_olen) {
		kfree_skb(reply);
		return NULL;
		}
		if (ns->opt[i] == ND_OPT_SOURCE_LL_ADDR) {
		if ((ns->opt[i + 1] << 3) >=
		sizeof(struct nd_opt_hdr) + ETH_ALEN)
		daddr = ns->opt + i + sizeof(struct nd_opt_hdr);
		break;
		}