On Wed, Jun 10, 2026 at 4:05 AM Yuliang Xiao <[email protected]>
wrote:
> Commit e150d409 ("packets: Validate ND option length in
> packet_set_nd().", Coverity CID 278405) added a bounds check to the
> Neighbor Discovery option walk in packet_set_nd(), but the
> structurally identical option walk in odp_set_nd() was left unguarded.
>
> odp_set_nd() walks the ND link-layer-address options to locate the SLL
> or TLL option before delegating the actual packet edit to
> packet_set_nd(). Its loop only checks that ND_LLA_OPT_LEN bytes remain
> and that lla_opt->len is non-zero; it does not verify that the full
> option (lla_opt->len * ND_LLA_OPT_LEN bytes) fits within bytes_remain
> before advancing past it. A crafted ND packet carrying an oversized
> option length therefore advances lla_opt beyond the L4 payload and
> underflows bytes_remain, and the next iteration reads lla_opt->type /
> lla_opt->len out of bounds. This is the same defect, in the same
> option-walk pattern, that CID 278405 reported for packet_set_nd().
>
> Apply the same loop condition used by the parent fix so an option is
> only processed when it fully fits within the remaining bytes.
>
> Fixes: e60e935b1f37 ("Implement set-field for IPv6 ND fields (nd_target,
> nd_sll, and nd_tll).")
> Signed-off-by: Yuliang Xiao <[email protected]>
>
Thanks for submitting this Yuliang!
Acked-by: Mike Pattrick <[email protected]>
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
