Eric Dumazet <edumazet@xxxxxxxxxx> wrote:
> syzbot is kind enough to remind us we need to call skb_may_pull()
[..]
> Fixes: c4e70a87d975 ("netfilter: bridge: rename br_netfilter.c to br_netfilter_hooks.c")
> Signed-off-by: Eric Dumazet <edumazet@xxxxxxxxxx>
> Reported-by: syzbot <syzkaller@xxxxxxxxxxxxxxxx>
> ---
>
> Note: Fixes: tag does not point to real bug origin, but is old enough
> to cover all stable versions.
Indeed, looks like a day0 bug. We don't have this problem for ipv4/6
because the prerouting hook does pskb_may_pull() as part of ipv4/6
header checks. Arp doesn't have anything like it.
> nf_bridge_pull_encap_header(skb);
> }
>
> + if (unlikely(!pskb_may_pull(skb, sizeof(struct arphdr))))
> + return NF_DROP;
> +
> if (arp_hdr(skb)->ar_pln != 4) {
Thats indeed the only location where we call NFPROTO_ARP hooks,
so this looks like the proper fix/location.
Thanks Eric!
Reviewed-by: Florian Westphal <fw@xxxxxxxxx>
