Sashiko pointed out [1]: On architectures like MIPS, the while-loop won't stop in ip_fast_csum().
To avoid such issues caused by invalid iph->ihl in lwt, add check "iph->ihl < 5" in bpf_lwt_push_ip_encap() to make sure iph->ihl is valid. [1] https://lore.kernel.org/bpf/[email protected]/ Fixes: 52f278774e79 ("bpf: implement BPF_LWT_ENCAP_IP mode in bpf_lwt_push_encap") Signed-off-by: Leon Hwang <[email protected]> --- net/core/lwt_bpf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/core/lwt_bpf.c b/net/core/lwt_bpf.c index 8009e427851f..c306120e11d2 100644 --- a/net/core/lwt_bpf.c +++ b/net/core/lwt_bpf.c @@ -613,7 +613,7 @@ int bpf_lwt_push_ip_encap(struct sk_buff *skb, void *hdr, u32 len, bool ingress) iph = (struct iphdr *)buff; if (iph->version == 4) { ipv4 = true; - if (unlikely(len < iph->ihl * 4)) + if (unlikely(iph->ihl < 5 || len < iph->ihl * 4)) return -EINVAL; } else if (iph->version == 6) { ipv4 = false; -- 2.54.0
