diff options
| author |   David Carlier <devnexen@gmail.com> | 2026-05-02 15:19:45 +0100 |
|---|---|---|
| committer |   Jakub Kicinski <kuba@kernel.org> | 2026-05-04 19:25:14 -0700 |
| commit | 30cb24f97d44f6b81c14b85c5323de62eef1fb7f (patch) | |
| tree | f956e3ce16abc379cb438a53948fa6b8dd0a1ec7 /samples/kobject/ssh:/git@git.zx2c4.com | |
| parent | net: prevent possible UAF in rtnl_prop_list_size() (diff) | |
psp: strip variable-length PSP header in psp_dev_rcv()
psp_dev_rcv() unconditionally removes a fixed PSP_ENCAP_HLEN, even
when psph->hdrlen indicates that the PSP header carries optional
fields. A frame whose PSP header advertises a non-zero VC or any
extension would therefore be silently mis-decapsulated: option bytes
would spill into the inner packet head and downstream parsing would
fail on a corrupted skb.
Compute the full PSP header length from psph->hdrlen, pull the
optional bytes into the linear region, and strip the whole header
when decapsulating. Optional fields (VC, ...) are still ignored,
just discarded with the rest of the header instead of leaking.
crypt_offset and the VIRT flag are intentionally not validated here
- callers know their device's PSP implementation and can decide.
Both in-tree callers gate on hardware-validated PSP, so this is a
correctness fix rather than a reachable corruption path under
current configurations.
Fixes: 0eddb8023cee ("psp: provide decapsulation and receive helper for drivers")
Reviewed-by: Willem de Bruijn <willemb@google.com>
Reviewed-by: Daniel Zahka <daniel.zahka@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: David Carlier <devnexen@gmail.com>
Link: https://patch.msgid.link/20260502141945.14484-1-devnexen@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Diffstat (limited to 'samples/kobject/ssh:/git@git.zx2c4.com')
0 files changed, 0 insertions, 0 deletions