Re: [PATCH net 1/3] bridge: br_nd_send: linearize skb before parsing ND options

Next message: Miquel Raynal: "[PATCH v2 09/11] mtd: spinand: winbond: Create a helper to write the HS bit"
Previous message: Benjamin Tissoires: "Re: [PATCH] HID: cherry: Fix switch case formatting"
In reply to: Yang Yang: "[PATCH net 1/3] bridge: br_nd_send: linearize skb before parsing ND options"
Next in thread: Nikolay Aleksandrov: "Re: [PATCH net 1/3] bridge: br_nd_send: linearize skb before parsing ND options"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Ido Schimmel

Date: Thu Mar 26 2026 - 12:41:34 EST

On Thu, Mar 26, 2026 at 03:44:39AM +0000, Yang Yang wrote:
> br_nd_send() parses neighbour discovery options from ns->opt[] and
> assumes that these options are in the linear part of request.
>
> Its callers only guarantee that the ICMPv6 header and target address
> are available, so the option area can still be non-linear. Parsing
> ns->opt[] in that case can access data past the linear buffer.
>
> Linearize request before option parsing and derive ns from the linear
> network header.
>
> Fixes: ed842faeb2bd ("bridge: suppress nd pkts on BR_NEIGH_SUPPRESS ports")
> Reported-by: Yifan Wu <yifanwucs@xxxxxxxxx>
> Reported-by: Juefei Pu <tomapufckgml@xxxxxxxxx>
> Tested-by: Ao Zhou <n05ec@xxxxxxxxxx>
> Co-developed-by: Yuan Tan <tanyuan98@xxxxxxxxxxx>
> Signed-off-by: Yuan Tan <tanyuan98@xxxxxxxxxxx>
> Suggested-by: Xin Liu <bird@xxxxxxxxxx>
> Signed-off-by: Yang Yang <n05ec@xxxxxxxxxx>

Reviewed-by: Ido Schimmel <idosch@xxxxxxxxxx>