On Thu, Mar 26, 2026 at 03:44:39AM +0000, Yang Yang wrote:
> br_nd_send() parses neighbour discovery options from ns->opt[] and
> assumes that these options are in the linear part of request.
>
> Its callers only guarantee that the ICMPv6 header and target address
> are available, so the option area can still be non-linear. Parsing
> ns->opt[] in that case can access data past the linear buffer.
>
> Linearize request before option parsing and derive ns from the linear
> network header.
>
> Fixes: ed842faeb2bd ("bridge: suppress nd pkts on BR_NEIGH_SUPPRESS ports")
> Reported-by: Yifan Wu <[email protected]>
> Reported-by: Juefei Pu <[email protected]>
> Tested-by: Ao Zhou <[email protected]>
> Co-developed-by: Yuan Tan <[email protected]>
> Signed-off-by: Yuan Tan <[email protected]>
> Suggested-by: Xin Liu <[email protected]>
> Signed-off-by: Yang Yang <[email protected]>
Reviewed-by: Ido Schimmel <[email protected]>
