Add sanity check for iph->ihl field in nf_flow_ip4_tunnel_proto routine. Moreover, similar to nf_flow_ip6_tunnel_proto(), rely on skb_header_pointer() to validate skb header layout. Fixes: ab427db178858 ("netfilter: flowtable: Add IPIP rx sw acceleration") Signed-off-by: Lorenzo Bianconi --- net/netfilter/nf_flow_table_ip.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/net/netfilter/nf_flow_table_ip.c b/net/netfilter/nf_flow_table_ip.c index 9c05a50d6013..9684c19da37a 100644 --- a/net/netfilter/nf_flow_table_ip.c +++ b/net/netfilter/nf_flow_table_ip.c @@ -319,15 +319,17 @@ static unsigned int nf_flow_xmit_xfrm(struct sk_buff *skb, static bool nf_flow_ip4_tunnel_proto(struct nf_flowtable_ctx *ctx, struct sk_buff *skb) { - struct iphdr *iph; + struct iphdr *iph, _iph; u16 size; - if (!pskb_may_pull(skb, sizeof(*iph) + ctx->offset)) + iph = skb_header_pointer(skb, ctx->offset, sizeof(*iph), &_iph); + if (!iph) return false; - iph = (struct iphdr *)(skb_network_header(skb) + ctx->offset); - size = iph->ihl << 2; + if (iph->ihl < 5) + return false; + size = iph->ihl << 2; if (ip_is_fragment(iph) || unlikely(ip_has_options(size))) return false; @@ -335,9 +337,9 @@ static bool nf_flow_ip4_tunnel_proto(struct nf_flowtable_ctx *ctx, return false; if (iph->protocol == IPPROTO_IPIP) { - ctx->tun.proto = IPPROTO_IPIP; + ctx->tun.proto = iph->protocol; ctx->tun.hdr_size = size; - ctx->offset += size; + ctx->offset += ctx->tun.hdr_size; } return true; --- base-commit: 4aacf509e537a711fa71bca9f234e5eb6968850e change-id: 20260605-nf_flow_ip4_tunnel_proto-update-b31f7bff6fb9 Best regards, -- Lorenzo Bianconi