Geneve GRO receive only consumes the netdev GRO hint option when the receiving Geneve socket has gro_hint enabled. geneve_gro_complete(), however, parses the hint option directly with geneve_opt_gro_hint_off() and therefore extends the completion offset even for sockets that did not enable hint processing. That lets a packet for a normal Geneve socket carry a syntactically valid hint with an attacker-controlled nested_hdr_len. GRO receive validates and pulls only the ordinary Geneve header/options, but completion can then run the inner protocol completion callback at nhoff + gh_len where gh_len includes the untrusted hint length. This can make completion access beyond the header area validated by receive. Use geneve_sk_gro_hint_off() in the completion path, matching receive and post-decap processing, so the hint is honored only for sockets that enabled the feature. Fixes: fd0dd796576e ("geneve: use GRO hint option in the RX path") Signed-off-by: Kyle Zeng --- drivers/net/geneve.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/geneve.c b/drivers/net/geneve.c index c6563367d382..d62cbee6c0fe 100644 --- a/drivers/net/geneve.c +++ b/drivers/net/geneve.c @@ -948,13 +948,13 @@ static int geneve_gro_complete(struct sock *sk, struct sk_buff *skb, struct genevehdr *gh; struct packet_offload *ptype; __be16 type; - int gh_len; + unsigned int gh_len; int err = -ENOSYS; gh = (struct genevehdr *)(skb->data + nhoff); gh_len = geneve_hlen(gh); type = gh->proto_type; - geneve_opt_gro_hint_off(gh, &type, &gh_len); + geneve_sk_gro_hint_off(sk, gh, &type, &gh_len); /* since skb->encapsulation is set, eth_gro_complete() sets the inner mac header */ if (likely(type == htons(ETH_P_TEB))) -- 2.43.0