KaFai Wan [off-list ref] writes:
On Mon, 2026-01-05 at 11:46 +0100, Toke Høiland-Jørgensen wrote:
quoted
KaFai Wan [off-list ref] writes:
quoted
This fix reverts to the original version and ensures data_hard_start
correctly points to the xdp_frame structure, eliminating the security
risk.
This is wrong. We should just be checking the meta_len on input to
account for the size of xdp_frame. I'll send a patch.
Current version the actual limit of the max input meta_len for live frames is
XDP_PACKET_HEADROOM - sizeof(struct xdp_frame), not
XDP_PACKET_HEADROOM.
By "current version", you mean the patch I sent[0], right?
If so, that was deliberate: the stack limits the maximum data_meta size
to XDP_PACKET_HEADROOM - sizeof(struct xdp_frame), so there's no reason
not to do the same for bpf_prog_run(). And some chance that diverging
here will end up surfacing other bugs down the line.
-Toke
[0] https://lore.kernel.org/r/20260105114747.1358750-1-toke@redhat.com (local)