On Fri, Mar 03, 2023 at 07:12:38PM -0500, Xin Long wrote: > In the while loop of br_nf_check_hbh_len(), similar to ip6_parse_tlv(), > before accessing 'nh[off + 1]', it should add a check 'len < 2'; and > before parsing IPV6_TLV_JUMBO, it should add a check 'optlen > len', > in case of overflows. > > Signed-off-by: Xin Long <lucien.xin@xxxxxxxxx> Reviewed-by: Simon Horman <simon.horman@xxxxxxxxxxxx> > --- > net/bridge/br_netfilter_ipv6.c | 47 ++++++++++++++++------------------ > 1 file changed, 22 insertions(+), 25 deletions(-) > > diff --git a/net/bridge/br_netfilter_ipv6.c b/net/bridge/br_netfilter_ipv6.c > index 5cd3e4c35123..50f564c33551 100644 > --- a/net/bridge/br_netfilter_ipv6.c > +++ b/net/bridge/br_netfilter_ipv6.c ... > - if (len == 0) > - return 0; > -bad: > - return -1; > + if (len) > + return -1; > + > + return 0; nit: if you have to spin a v2, you may want to consider return len ? -1 : 0;
