[PATCH v5 net-next 09/15] net: dsa: add NETC switch tag support
Wei Fang
wei.fang at nxp.com
Wed May 6 00:34:55 PDT 2026
> +static void netc_flow_dissect(const struct sk_buff *skb, __be16 *proto,
> + int *offset)
> +{
> + struct netc_tag_cmn *tag_cmn = (struct netc_tag_cmn *)(skb->data - 2);
> + int tag_len = netc_get_rx_tag_len(tag_cmn->type);
> +
> + *offset = tag_len;
> + *proto = ((__be16 *)skb->data)[(tag_len / 2) - 1];
Below is the comment from Sashiko.
Can this direct access to skb->data cause an out-of-bounds read?
When __skb_flow_dissect() invokes ops->flow_dissect() on a packet injected by
a local user with a small linear area (where skb_headlen(skb) < tag_len),
these accesses might read past skb->tail into uninitialized memory or unmapped
pages.
Since pskb_may_pull() cannot be used on a const struct sk_buff, does this
dissector need to use skb_header_pointer() to safely extract the fields?
This is a false positive, or at least it can be ignored. The RX minimum frame
length of each NETC switch port is set to 64 bytes. The frame will be received
by the ENETC driver. From the hardware perspective, each RX BD receive
buffer is at least 128 bytes, so the skb's linear buffer will definitely contain
the switch tag.
More information about the linux-arm-kernel
mailing list