On 6/19/26 2:29 PM, Sechang Lim wrote:
sockmap_parse_prog.c is attached as an SK_SKB stream parser and modifies the skb. It calls bpf_skb_pull_data() and writes a byte into the packet. A stream parser runs on strparser's message head and must not modify it. A resize frees the frag_list segments strparser still tracks, leading to a use-after-free. Make the parser read-only. It only needs to return the message length, which keeps it attaching once packet-modifying parsers are rejected. Signed-off-by: Sechang Lim <[email protected]>
This series should target bpf-next. Reviewed-by: Jiayuan Chen <[email protected]>
