During the IP defragmentation process, after the reassembly is finished
with the last packet arriving with MF=0, the reassembly state wrt.
static counters is not cleared. In case this last arriving packet with
MF=0 gets duplicated, payload bytes are mistakingly treated as hole data.
A malicious actor who can deliver fragmented IP traffic to a U-Boot
instance with CONFIG_IP_DEFRAG=y can corrupt memory via out-of-bound
writes and redirect control flow into attacker-supplied payload bytes
that already sit in `pkt_buff[]`.
Publicly available AI models are able to generate a reproducer based
on the provided information.
Fix: once the assembled packet has been handed back to the caller, mark
the reassembly state empty so that any further fragment (duplicate,
replay, or a brand-new datagram that happens to reuse the `ip_id`) goes
through the normal re-init path and rebuilds a clean hole list instead
of dereferencing payload bytes as struct hole.
Fixes: 5cfaa4e54d0e ("net: defragment IP packets")
Reported-by: Mariusz Madej <[email protected]>
Signed-off-by: Mateusz Furdyna <[email protected]>
---
net/net.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/net/net.c b/net/net.c
index ae3b977781f..caaee3ff30c 100644
--- a/net/net.c
+++ b/net/net.c
@@ -1103,6 +1103,14 @@ static struct ip_udp_hdr *__net_defragment(struct
ip_udp_hdr *ip, int *lenp)
*lenp = total_len + IP_HDR_SIZE;
localip->ip_len = htons(*lenp);
+
+ /* Mark the reassembly state empty so that any further
+ * fragment goes through the normal re-init path and
+ * rebuilds a clean hole list
+ */
+ total_len = 0;
+ first_hole = 0;
+
return localip;
}
---
base-commit: 30b77f6aa146c96b831cb4ece038130b655b6a41
change-id: 20260530-ip_defrag-130c345dd9db
Best regards,
--
Mateusz Furdyna <[email protected]>
