[PATCH net-next v4 1/7] ipv6: Check of max HBH or DestOp sysctl is zero and... | netdev

[PATCH net-next v4 0/7] ipv6: Address ext hdr DoS vulnerabilities · Tom Herbert <hidden> · 2026-01-21
[PATCH net-next v4 1/7] ipv6: Check of max HBH or DestOp sysctl is zero and drop if it is · Tom Herbert <hidden> · 2026-01-21
Re: [PATCH net-next v4 1/7] ipv6: Check of max HBH or DestOp sysctl is zero and drop if it is · Justin Iurman <justin.iurman@gmail.com> · 2026-01-23
[PATCH net-next v4 2/7] ipv6: Cleanup IPv6 TLV definitions · Tom Herbert <hidden> · 2026-01-21
Re: [PATCH net-next v4 2/7] ipv6: Cleanup IPv6 TLV definitions · Justin Iurman <justin.iurman@gmail.com> · 2026-01-23
[PATCH net-next v4 3/7] ipv6: Add case for IPV6_TLV_TNL_ENCAP_LIMIT in EH TLV switch · Tom Herbert <hidden> · 2026-01-21
[PATCH net-next v4 4/7] ipv6: Set HBH and DestOpt limits to 2 · Tom Herbert <hidden> · 2026-01-21
[PATCH net-next v4 5/7] ipv6: Document defaults for max_{dst|hbh}_opts_number sysctls · Tom Herbert <hidden> · 2026-01-21
[PATCH net-next v4 6/7] ipv6: Enforce Extension Header ordering · Tom Herbert <hidden> · 2026-01-21
Re: [PATCH net-next v4 6/7] ipv6: Enforce Extension Header ordering · Justin Iurman <justin.iurman@gmail.com> · 2026-01-23
Re: [PATCH net-next v4 6/7] ipv6: Enforce Extension Header ordering · Tom Herbert <hidden> · 2026-01-26
Re: [PATCH net-next v4 6/7] ipv6: Enforce Extension Header ordering · Justin Iurman <justin.iurman@gmail.com> · 2026-01-26
Re: [PATCH net-next v4 6/7] ipv6: Enforce Extension Header ordering · Tom Herbert <hidden> · 2026-01-26
[PATCH net-next v4 7/7] ipv6: Document enforce_ext_hdr_order sysctl · Tom Herbert <hidden> · 2026-01-21

STALE148d

Revisions (7)

2026-01-19 v3 [diff vs current]
2026-01-21 v4 current
2026-01-26 v5 [diff vs current]
2026-02-03 v6 [diff vs current]
2026-02-04 v7 [diff vs current]
2026-03-14 v9 [diff vs current]
2026-05-04 v10 [diff vs current]

[PATCH net-next v4 1/7] ipv6: Check of max HBH or DestOp sysctl is zero and drop if it is

From: Tom Herbert <hidden>
Date: 2026-01-21 21:49:50
Subsystem: networking [general], networking [ipv4/ipv6], the rest · Maintainers: "David S. Miller", Eric Dumazet, Jakub Kicinski, Paolo Abeni, David Ahern, Ido Schimmel, Linus Torvalds

In IPv6 Destination options processing function check if
net->ipv6.sysctl.max_dst_opts_cnt is zero up front. If it is zero then
drop the packet since Destination Options processing is disabled.

Similarly, in IPv6 hop-by-hop options processing function check if
net->ipv6.sysctl.max_hbh_opts_cnt is zero up front. If it is zero then
drop the packet since Hop-by-Hop Options processing is disabled.

Signed-off-by: Tom Herbert <redacted>
---
 net/ipv6/exthdrs.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/net/ipv6/exthdrs.c b/net/ipv6/exthdrs.c
index 54088fa0c09d..45bbad76f5de 100644
--- a/net/ipv6/exthdrs.c
+++ b/net/ipv6/exthdrs.c

@@ -303,7 +303,8 @@ static int ipv6_destopt_rcv(struct sk_buff *skb)
 	struct net *net = dev_net(skb->dev);
 	int extlen;
 
-	if (!pskb_may_pull(skb, skb_transport_offset(skb) + 8) ||
+	if (!net->ipv6.sysctl.max_dst_opts_cnt ||
+	    !pskb_may_pull(skb, skb_transport_offset(skb) + 8) ||
 	    !pskb_may_pull(skb, (skb_transport_offset(skb) +
 				 ((skb_transport_header(skb)[1] + 1) << 3)))) {
 		__IP6_INC_STATS(dev_net(dst_dev(dst)), idev,

@@ -1041,7 +1042,8 @@ int ipv6_parse_hopopts(struct sk_buff *skb)
 	 * sizeof(struct ipv6hdr) by definition of
 	 * hop-by-hop options.
 	 */
-	if (!pskb_may_pull(skb, sizeof(struct ipv6hdr) + 8) ||
+	if (!net->ipv6.sysctl.max_hbh_opts_cnt ||
+	    !pskb_may_pull(skb, sizeof(struct ipv6hdr) + 8) ||
 	    !pskb_may_pull(skb, (sizeof(struct ipv6hdr) +
 				 ((skb_transport_header(skb)[1] + 1) << 3)))) {
 fail_and_free:

-- 
2.43.0

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help