[nf,1/1] netfilter: ip6t_hbh: reject oversized option lists

Message ID	d2ac2409a17211ebad6d137cb4cf81f3f329d875.1778633212.git.zcliangcn@gmail.com
State	Accepted, archived
Headers	show Return-Path: <netfilter-devel+bounces-12571-incoming=patchwork.ozlabs.org@vger.kernel.org> From: Ren Wei <n05ec@lzu.edu.cn> To: netfilter-devel@vger.kernel.org Cc: pablo@netfilter.org, fw@strlen.de, phil@nwl.cc, yuantan098@gmail.com, yifanwucs@gmail.com, tomapufckgml@gmail.com, bird@lzu.edu.cn, zcliangcn@gmail.com, n05ec@lzu.edu.cn Subject: [PATCH nf 1/1] netfilter: ip6t_hbh: reject oversized option lists Date: Wed, 13 May 2026 15:57:17 +0800 Message-ID: <d2ac2409a17211ebad6d137cb4cf81f3f329d875.1778633212.git.zcliangcn@gmail.com> In-Reply-To: <cover.1778633212.git.zcliangcn@gmail.com> References: <cover.1778633212.git.zcliangcn@gmail.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[nf,1/1] netfilter: ip6t_hbh: reject oversized option lists \| expand [nf,1/1] netfilter: ip6t_hbh: reject oversized option lists

Message ID

d2ac2409a17211ebad6d137cb4cf81f3f329d875.1778633212.git.zcliangcn@gmail.com

State

Accepted, archived

Headers

From: Ren Wei <n05ec@lzu.edu.cn>
To: netfilter-devel@vger.kernel.org
Cc: pablo@netfilter.org,
	fw@strlen.de,
	phil@nwl.cc,
	yuantan098@gmail.com,
	yifanwucs@gmail.com,
	tomapufckgml@gmail.com,
	bird@lzu.edu.cn,
	zcliangcn@gmail.com,
	n05ec@lzu.edu.cn
Subject: [PATCH nf 1/1] netfilter: ip6t_hbh: reject oversized option lists
Date: Wed, 13 May 2026 15:57:17 +0800
Message-ID: 
 <d2ac2409a17211ebad6d137cb4cf81f3f329d875.1778633212.git.zcliangcn@gmail.com>
In-Reply-To: <cover.1778633212.git.zcliangcn@gmail.com>
References: <cover.1778633212.git.zcliangcn@gmail.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[nf,1/1] netfilter: ip6t_hbh: reject oversized option lists | expand

Commit Message

Ren Wei May 13, 2026, 7:57 a.m. UTC

From: Zhengchuan Liang <zcliangcn@gmail.com>

struct ip6t_opts stores at most IP6T_OPTS_OPTSNR option descriptors,
but hbh_mt6_check() does not reject larger optsnr values supplied from
userspace.

Validate optsnr in the rule setup path so only match data that fits the
fixed-size opts array can be installed. This follows the existing xtables
pattern of rejecting invalid user-provided counts in checkentry() and
keeps the packet matching path unchanged.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")

Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Zhengchuan Liang <zcliangcn@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
---
 net/ipv6/netfilter/ip6t_hbh.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/net/ipv6/netfilter/ip6t_hbh.c b/net/ipv6/netfilter/ip6t_hbh.c
index e7a3fb9355ee..450dd53846a2 100644
--- a/net/ipv6/netfilter/ip6t_hbh.c
+++ b/net/ipv6/netfilter/ip6t_hbh.c
@@ -168,6 +168,10 @@  static int hbh_mt6_check(const struct xt_mtchk_param *par)
 		pr_debug("unknown flags %X\n", optsinfo->invflags);
 		return -EINVAL;
 	}
+	if (optsinfo->optsnr > IP6T_OPTS_OPTSNR) {
+		pr_debug("too many supported opts specified\n");
+		return -EINVAL;
+	}
 
 	if (optsinfo->flags & IP6T_OPTS_NSTRICT) {
 		pr_debug("Not strict - not implemented");

[nf,1/1] netfilter: ip6t_hbh: reject oversized option lists

Commit Message

Patch