On 24 Jun 2026, at 11:05, Eelco Chaudron wrote:

> On 10 Jun 2026, at 10:04, Yuliang Xiao wrote:
>
>> Commit e150d409 ("packets: Validate ND option length in
>> packet_set_nd().", Coverity CID 278405) added a bounds check to the
>> Neighbor Discovery option walk in packet_set_nd(), but the
>> structurally identical option walk in odp_set_nd() was left unguarded.
>>
>> odp_set_nd() walks the ND link-layer-address options to locate the SLL
>> or TLL option before delegating the actual packet edit to
>> packet_set_nd().  Its loop only checks that ND_LLA_OPT_LEN bytes remain
>> and that lla_opt->len is non-zero; it does not verify that the full
>> option (lla_opt->len * ND_LLA_OPT_LEN bytes) fits within bytes_remain
>> before advancing past it.  A crafted ND packet carrying an oversized
>> option length therefore advances lla_opt beyond the L4 payload and
>> underflows bytes_remain, and the next iteration reads lla_opt->type /
>> lla_opt->len out of bounds.  This is the same defect, in the same
>> option-walk pattern, that CID 278405 reported for packet_set_nd().
>>
>> Apply the same loop condition used by the parent fix so an option is
>> only processed when it fully fits within the remaining bytes.
>>
>> Fixes: e60e935b1f37 ("Implement set-field for IPv6 ND fields (nd_target, 
>> nd_sll, and nd_tll).")
>> Signed-off-by: Yuliang Xiao <[email protected]>
>
> Thanks Yuliang, the patch looks good to me, and thanks for fixing what I 
> forgot.
>
> Acked-by: Eelco Chaudron <[email protected]>

Once again, thanks Yuliang, the patch was applied to main.

//Eelco

_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Reply via email to