This is a note to let you know that I've just added the patch titled ipv6: Fix out-of-bounds access in ipv6_find_tlv() to the 6.3-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: ipv6-fix-out-of-bounds-access-in-ipv6_find_tlv.patch and it can be found in the queue-6.3 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From 878ecb0897f4737a4c9401f3523fd49589025671 Mon Sep 17 00:00:00 2001 From: Gavrilov Ilia <Ilia.Gavrilov@xxxxxxxxxxx> Date: Tue, 23 May 2023 08:29:44 +0000 Subject: ipv6: Fix out-of-bounds access in ipv6_find_tlv() From: Gavrilov Ilia <Ilia.Gavrilov@xxxxxxxxxxx> commit 878ecb0897f4737a4c9401f3523fd49589025671 upstream. optlen is fetched without checking whether there is more than one byte to parse. It can lead to out-of-bounds access. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with SVACE. Fixes: c61a40432509 ("[IPV6]: Find option offset by type.") Signed-off-by: Gavrilov Ilia <Ilia.Gavrilov@xxxxxxxxxxx> Reviewed-by: Jiri Pirko <jiri@xxxxxxxxxx> Reviewed-by: David Ahern <dsahern@xxxxxxxxxx> Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- net/ipv6/exthdrs_core.c | 2 ++ 1 file changed, 2 insertions(+) --- a/net/ipv6/exthdrs_core.c +++ b/net/ipv6/exthdrs_core.c @@ -143,6 +143,8 @@ int ipv6_find_tlv(const struct sk_buff * optlen = 1; break; default: + if (len < 2) + goto bad; optlen = nh[offset + 1] + 2; if (optlen > len) goto bad; Patches currently in stable-queue which might be from Ilia.Gavrilov@xxxxxxxxxxx are queue-6.3/ipv6-fix-out-of-bounds-access-in-ipv6_find_tlv.patch