VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 3, 2026

CVE-2026-46266

CVE-2026-46266

Description

Linux kernel RAW sockets are vulnerable to malicious ICMP packets causing FNHE cache changes, fixed by dropping matching packets.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Linux kernel RAW sockets are vulnerable to malicious ICMP packets causing FNHE cache changes, fixed by dropping matching packets.

Vulnerability

The Linux kernel is vulnerable in its handling of RAW sockets using IPPROTO_RAW (255). A malicious incoming ICMP packet with a protocol field set to 255 can match such a socket, leading to unintended changes in the FNHE cache. This vulnerability affects systems where a RAW socket is created with socket(AF_INET, SOCK_RAW, 255). The fix ensures these malicious packets are dropped [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious ICMP packet. This packet needs to have its protocol field set to 255 and be directed towards a system that has an active RAW socket configured with IPPROTO_RAW. The attacker would send an ICMP packet, potentially of type 3 code 4 (Destination Unreachable, Protocol Unreachable), with an inner IP packet that has the protocol field set to 255, targeting the vulnerable system [1].

Impact

Successful exploitation of this vulnerability can lead to modifications in the FNHE (Forwarding Next Hop Extension) cache. The exact impact of these changes is not fully detailed in the available references, but it implies a potential for network disruption or manipulation of routing information within the affected system [1].

Mitigation

This vulnerability has been resolved in the Linux kernel. The fix involves ensuring that RAW sockets using IPPROTO_RAW properly drop incoming ICMP packets that match the protocol field. The specific fixed version and release date are not detailed in the provided references, nor is information on workarounds or end-of-life status [1].

References
  1. Making sure you're not a bot!

AI Insight generated on Jun 3, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

10
c89477ad7944

inet: RAW sockets using IPPROTO_RAW MUST drop incoming ICMP

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitEric DumazetFixed in 7.0via kernel-cna
commit
2 files changed · +16 5
  • net/ipv4/icmp.c+10 4 modified
    diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
index 4abbec2f47ef5..4acbbc703e798 100644
--- a/net/ipv4/icmp.c
+++ b/net/ipv4/icmp.c
@@ -1031,16 +1031,22 @@ static void icmp_socket_deliver(struct sk_buff *skb, u32 info)
 	/* Checkin full IP header plus 8 bytes of protocol to
 	 * avoid additional coding at protocol handlers.
 	 */
-	if (!pskb_may_pull(skb, iph->ihl * 4 + 8)) {
-		__ICMP_INC_STATS(dev_net_rcu(skb->dev), ICMP_MIB_INERRORS);
-		return;
-	}
+	if (!pskb_may_pull(skb, iph->ihl * 4 + 8))
+		goto out;
+
+	/* IPPROTO_RAW sockets are not supposed to receive anything. */
+	if (protocol == IPPROTO_RAW)
+		goto out;
 
 	raw_icmp_error(skb, protocol, info);
 
 	ipprot = rcu_dereference(inet_protos[protocol]);
 	if (ipprot && ipprot->err_handler)
 		ipprot->err_handler(skb, info);
+	return;
+
+out:
+	__ICMP_INC_STATS(dev_net_rcu(skb->dev), ICMP_MIB_INERRORS);
 }
 
 static bool icmp_tag_validation(int proto)
  • net/ipv6/icmp.c+6 1 modified
    diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c
index 9d37e7711bc2b..a77f3113ef23b 100644
--- a/net/ipv6/icmp.c
+++ b/net/ipv6/icmp.c
@@ -1066,6 +1066,12 @@ enum skb_drop_reason icmpv6_notify(struct sk_buff *skb, u8 type,
 	if (reason != SKB_NOT_DROPPED_YET)
 		goto out;
 
+	if (nexthdr == IPPROTO_RAW) {
+		/* Add a more specific reason later ? */
+		reason = SKB_DROP_REASON_NOT_SPECIFIED;
+		goto out;
+	}
+
 	/* BUGGG_FUTURE: we should try to parse exthdrs in this packet.
 	   Without this we will not able f.e. to make source routed
 	   pmtu discovery.
-- 
cgit 1.3-korg
db76b75ede38

inet: RAW sockets using IPPROTO_RAW MUST drop incoming ICMP

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitEric DumazetFixed in 6.6.128via kernel-cna
commit
2 files changed · +16 5
  • net/ipv4/icmp.c+10 4 modified
    diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
index b17549c4e5de8..f3cdfc09d7f06 100644
--- a/net/ipv4/icmp.c
+++ b/net/ipv4/icmp.c
@@ -840,16 +840,22 @@ static void icmp_socket_deliver(struct sk_buff *skb, u32 info)
 	/* Checkin full IP header plus 8 bytes of protocol to
 	 * avoid additional coding at protocol handlers.
 	 */
-	if (!pskb_may_pull(skb, iph->ihl * 4 + 8)) {
-		__ICMP_INC_STATS(dev_net_rcu(skb->dev), ICMP_MIB_INERRORS);
-		return;
-	}
+	if (!pskb_may_pull(skb, iph->ihl * 4 + 8))
+		goto out;
+
+	/* IPPROTO_RAW sockets are not supposed to receive anything. */
+	if (protocol == IPPROTO_RAW)
+		goto out;
 
 	raw_icmp_error(skb, protocol, info);
 
 	ipprot = rcu_dereference(inet_protos[protocol]);
 	if (ipprot && ipprot->err_handler)
 		ipprot->err_handler(skb, info);
+	return;
+
+out:
+	__ICMP_INC_STATS(dev_net_rcu(skb->dev), ICMP_MIB_INERRORS);
 }
 
 static bool icmp_tag_validation(int proto)
  • net/ipv6/icmp.c+6 1 modified
    diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c
index c7e815b7ca087..e9e457b7d4eac 100644
--- a/net/ipv6/icmp.c
+++ b/net/ipv6/icmp.c
@@ -869,6 +869,12 @@ enum skb_drop_reason icmpv6_notify(struct sk_buff *skb, u8 type,
 	if (reason != SKB_NOT_DROPPED_YET)
 		goto out;
 
+	if (nexthdr == IPPROTO_RAW) {
+		/* Add a more specific reason later ? */
+		reason = SKB_DROP_REASON_NOT_SPECIFIED;
+		goto out;
+	}
+
 	/* BUGGG_FUTURE: we should try to parse exthdrs in this packet.
 	   Without this we will not able f.e. to make source routed
 	   pmtu discovery.
-- 
cgit 1.3-korg
19e42490c89b

inet: RAW sockets using IPPROTO_RAW MUST drop incoming ICMP

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitEric DumazetFixed in 6.12.75via kernel-cna
commit
2 files changed · +16 5
  • net/ipv4/icmp.c+10 4 modified
    diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
index 508b23204edc5..c0373d1172d73 100644
--- a/net/ipv4/icmp.c
+++ b/net/ipv4/icmp.c
@@ -840,16 +840,22 @@ static void icmp_socket_deliver(struct sk_buff *skb, u32 info)
 	/* Checkin full IP header plus 8 bytes of protocol to
 	 * avoid additional coding at protocol handlers.
 	 */
-	if (!pskb_may_pull(skb, iph->ihl * 4 + 8)) {
-		__ICMP_INC_STATS(dev_net_rcu(skb->dev), ICMP_MIB_INERRORS);
-		return;
-	}
+	if (!pskb_may_pull(skb, iph->ihl * 4 + 8))
+		goto out;
+
+	/* IPPROTO_RAW sockets are not supposed to receive anything. */
+	if (protocol == IPPROTO_RAW)
+		goto out;
 
 	raw_icmp_error(skb, protocol, info);
 
 	ipprot = rcu_dereference(inet_protos[protocol]);
 	if (ipprot && ipprot->err_handler)
 		ipprot->err_handler(skb, info);
+	return;
+
+out:
+	__ICMP_INC_STATS(dev_net_rcu(skb->dev), ICMP_MIB_INERRORS);
 }
 
 static bool icmp_tag_validation(int proto)
  • net/ipv6/icmp.c+6 1 modified
    diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c
index 13a796bfc2f93..c8609147fce89 100644
--- a/net/ipv6/icmp.c
+++ b/net/ipv6/icmp.c
@@ -871,6 +871,12 @@ enum skb_drop_reason icmpv6_notify(struct sk_buff *skb, u8 type,
 	if (reason != SKB_NOT_DROPPED_YET)
 		goto out;
 
+	if (nexthdr == IPPROTO_RAW) {
+		/* Add a more specific reason later ? */
+		reason = SKB_DROP_REASON_NOT_SPECIFIED;
+		goto out;
+	}
+
 	/* BUGGG_FUTURE: we should try to parse exthdrs in this packet.
 	   Without this we will not able f.e. to make source routed
 	   pmtu discovery.
-- 
cgit 1.3-korg
531c1aec81bf

inet: RAW sockets using IPPROTO_RAW MUST drop incoming ICMP

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitEric DumazetFixed in 6.18.14via kernel-cna
commit
2 files changed · +16 5
  • net/ipv4/icmp.c+10 4 modified
    diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
index 1b7fb5d935edf..8e10e9e7676c5 100644
--- a/net/ipv4/icmp.c
+++ b/net/ipv4/icmp.c
@@ -843,16 +843,22 @@ static void icmp_socket_deliver(struct sk_buff *skb, u32 info)
 	/* Checkin full IP header plus 8 bytes of protocol to
 	 * avoid additional coding at protocol handlers.
 	 */
-	if (!pskb_may_pull(skb, iph->ihl * 4 + 8)) {
-		__ICMP_INC_STATS(dev_net_rcu(skb->dev), ICMP_MIB_INERRORS);
-		return;
-	}
+	if (!pskb_may_pull(skb, iph->ihl * 4 + 8))
+		goto out;
+
+	/* IPPROTO_RAW sockets are not supposed to receive anything. */
+	if (protocol == IPPROTO_RAW)
+		goto out;
 
 	raw_icmp_error(skb, protocol, info);
 
 	ipprot = rcu_dereference(inet_protos[protocol]);
 	if (ipprot && ipprot->err_handler)
 		ipprot->err_handler(skb, info);
+	return;
+
+out:
+	__ICMP_INC_STATS(dev_net_rcu(skb->dev), ICMP_MIB_INERRORS);
 }
 
 static bool icmp_tag_validation(int proto)
  • net/ipv6/icmp.c+6 1 modified
    diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c
index cf6455cbe2cc9..306eec18e82c1 100644
--- a/net/ipv6/icmp.c
+++ b/net/ipv6/icmp.c
@@ -870,6 +870,12 @@ enum skb_drop_reason icmpv6_notify(struct sk_buff *skb, u8 type,
 	if (reason != SKB_NOT_DROPPED_YET)
 		goto out;
 
+	if (nexthdr == IPPROTO_RAW) {
+		/* Add a more specific reason later ? */
+		reason = SKB_DROP_REASON_NOT_SPECIFIED;
+		goto out;
+	}
+
 	/* BUGGG_FUTURE: we should try to parse exthdrs in this packet.
 	   Without this we will not able f.e. to make source routed
 	   pmtu discovery.
-- 
cgit 1.3-korg
719d3932b8f6

inet: RAW sockets using IPPROTO_RAW MUST drop incoming ICMP

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitEric DumazetFixed in 6.19.4via kernel-cna
commit
2 files changed · +16 5
  • net/ipv4/icmp.c+10 4 modified
    diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
index 4abbec2f47ef5..4acbbc703e798 100644
--- a/net/ipv4/icmp.c
+++ b/net/ipv4/icmp.c
@@ -1031,16 +1031,22 @@ static void icmp_socket_deliver(struct sk_buff *skb, u32 info)
 	/* Checkin full IP header plus 8 bytes of protocol to
 	 * avoid additional coding at protocol handlers.
 	 */
-	if (!pskb_may_pull(skb, iph->ihl * 4 + 8)) {
-		__ICMP_INC_STATS(dev_net_rcu(skb->dev), ICMP_MIB_INERRORS);
-		return;
-	}
+	if (!pskb_may_pull(skb, iph->ihl * 4 + 8))
+		goto out;
+
+	/* IPPROTO_RAW sockets are not supposed to receive anything. */
+	if (protocol == IPPROTO_RAW)
+		goto out;
 
 	raw_icmp_error(skb, protocol, info);
 
 	ipprot = rcu_dereference(inet_protos[protocol]);
 	if (ipprot && ipprot->err_handler)
 		ipprot->err_handler(skb, info);
+	return;
+
+out:
+	__ICMP_INC_STATS(dev_net_rcu(skb->dev), ICMP_MIB_INERRORS);
 }
 
 static bool icmp_tag_validation(int proto)
  • net/ipv6/icmp.c+6 1 modified
    diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c
index 9d37e7711bc2b..a77f3113ef23b 100644
--- a/net/ipv6/icmp.c
+++ b/net/ipv6/icmp.c
@@ -1066,6 +1066,12 @@ enum skb_drop_reason icmpv6_notify(struct sk_buff *skb, u8 type,
 	if (reason != SKB_NOT_DROPPED_YET)
 		goto out;
 
+	if (nexthdr == IPPROTO_RAW) {
+		/* Add a more specific reason later ? */
+		reason = SKB_DROP_REASON_NOT_SPECIFIED;
+		goto out;
+	}
+
 	/* BUGGG_FUTURE: we should try to parse exthdrs in this packet.
 	   Without this we will not able f.e. to make source routed
 	   pmtu discovery.
-- 
cgit 1.3-korg
c89477ad7944

inet: RAW sockets using IPPROTO_RAW MUST drop incoming ICMP

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitEric Dumazetvia nvd-ref
commit
2 files changed · +16 5
  • net/ipv4/icmp.c+10 4 modified
    diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
index 4abbec2f47ef5..4acbbc703e798 100644
--- a/net/ipv4/icmp.c
+++ b/net/ipv4/icmp.c
@@ -1031,16 +1031,22 @@ static void icmp_socket_deliver(struct sk_buff *skb, u32 info)
 	/* Checkin full IP header plus 8 bytes of protocol to
 	 * avoid additional coding at protocol handlers.
 	 */
-	if (!pskb_may_pull(skb, iph->ihl * 4 + 8)) {
-		__ICMP_INC_STATS(dev_net_rcu(skb->dev), ICMP_MIB_INERRORS);
-		return;
-	}
+	if (!pskb_may_pull(skb, iph->ihl * 4 + 8))
+		goto out;
+
+	/* IPPROTO_RAW sockets are not supposed to receive anything. */
+	if (protocol == IPPROTO_RAW)
+		goto out;
 
 	raw_icmp_error(skb, protocol, info);
 
 	ipprot = rcu_dereference(inet_protos[protocol]);
 	if (ipprot && ipprot->err_handler)
 		ipprot->err_handler(skb, info);
+	return;
+
+out:
+	__ICMP_INC_STATS(dev_net_rcu(skb->dev), ICMP_MIB_INERRORS);
 }
 
 static bool icmp_tag_validation(int proto)
  • net/ipv6/icmp.c+6 1 modified
    diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c
index 9d37e7711bc2b..a77f3113ef23b 100644
--- a/net/ipv6/icmp.c
+++ b/net/ipv6/icmp.c
@@ -1066,6 +1066,12 @@ enum skb_drop_reason icmpv6_notify(struct sk_buff *skb, u8 type,
 	if (reason != SKB_NOT_DROPPED_YET)
 		goto out;
 
+	if (nexthdr == IPPROTO_RAW) {
+		/* Add a more specific reason later ? */
+		reason = SKB_DROP_REASON_NOT_SPECIFIED;
+		goto out;
+	}
+
 	/* BUGGG_FUTURE: we should try to parse exthdrs in this packet.
 	   Without this we will not able f.e. to make source routed
 	   pmtu discovery.
-- 
cgit 1.3-korg
19e42490c89b

inet: RAW sockets using IPPROTO_RAW MUST drop incoming ICMP

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitEric Dumazetvia nvd-ref
commit
2 files changed · +16 5
  • net/ipv4/icmp.c+10 4 modified
    diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
index 508b23204edc5..c0373d1172d73 100644
--- a/net/ipv4/icmp.c
+++ b/net/ipv4/icmp.c
@@ -840,16 +840,22 @@ static void icmp_socket_deliver(struct sk_buff *skb, u32 info)
 	/* Checkin full IP header plus 8 bytes of protocol to
 	 * avoid additional coding at protocol handlers.
 	 */
-	if (!pskb_may_pull(skb, iph->ihl * 4 + 8)) {
-		__ICMP_INC_STATS(dev_net_rcu(skb->dev), ICMP_MIB_INERRORS);
-		return;
-	}
+	if (!pskb_may_pull(skb, iph->ihl * 4 + 8))
+		goto out;
+
+	/* IPPROTO_RAW sockets are not supposed to receive anything. */
+	if (protocol == IPPROTO_RAW)
+		goto out;
 
 	raw_icmp_error(skb, protocol, info);
 
 	ipprot = rcu_dereference(inet_protos[protocol]);
 	if (ipprot && ipprot->err_handler)
 		ipprot->err_handler(skb, info);
+	return;
+
+out:
+	__ICMP_INC_STATS(dev_net_rcu(skb->dev), ICMP_MIB_INERRORS);
 }
 
 static bool icmp_tag_validation(int proto)
  • net/ipv6/icmp.c+6 1 modified
    diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c
index 13a796bfc2f93..c8609147fce89 100644
--- a/net/ipv6/icmp.c
+++ b/net/ipv6/icmp.c
@@ -871,6 +871,12 @@ enum skb_drop_reason icmpv6_notify(struct sk_buff *skb, u8 type,
 	if (reason != SKB_NOT_DROPPED_YET)
 		goto out;
 
+	if (nexthdr == IPPROTO_RAW) {
+		/* Add a more specific reason later ? */
+		reason = SKB_DROP_REASON_NOT_SPECIFIED;
+		goto out;
+	}
+
 	/* BUGGG_FUTURE: we should try to parse exthdrs in this packet.
 	   Without this we will not able f.e. to make source routed
 	   pmtu discovery.
-- 
cgit 1.3-korg
531c1aec81bf

inet: RAW sockets using IPPROTO_RAW MUST drop incoming ICMP

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitEric Dumazetvia nvd-ref
commit
2 files changed · +16 5
  • net/ipv4/icmp.c+10 4 modified
    diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
index 1b7fb5d935edf..8e10e9e7676c5 100644
--- a/net/ipv4/icmp.c
+++ b/net/ipv4/icmp.c
@@ -843,16 +843,22 @@ static void icmp_socket_deliver(struct sk_buff *skb, u32 info)
 	/* Checkin full IP header plus 8 bytes of protocol to
 	 * avoid additional coding at protocol handlers.
 	 */
-	if (!pskb_may_pull(skb, iph->ihl * 4 + 8)) {
-		__ICMP_INC_STATS(dev_net_rcu(skb->dev), ICMP_MIB_INERRORS);
-		return;
-	}
+	if (!pskb_may_pull(skb, iph->ihl * 4 + 8))
+		goto out;
+
+	/* IPPROTO_RAW sockets are not supposed to receive anything. */
+	if (protocol == IPPROTO_RAW)
+		goto out;
 
 	raw_icmp_error(skb, protocol, info);
 
 	ipprot = rcu_dereference(inet_protos[protocol]);
 	if (ipprot && ipprot->err_handler)
 		ipprot->err_handler(skb, info);
+	return;
+
+out:
+	__ICMP_INC_STATS(dev_net_rcu(skb->dev), ICMP_MIB_INERRORS);
 }
 
 static bool icmp_tag_validation(int proto)
  • net/ipv6/icmp.c+6 1 modified
    diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c
index cf6455cbe2cc9..306eec18e82c1 100644
--- a/net/ipv6/icmp.c
+++ b/net/ipv6/icmp.c
@@ -870,6 +870,12 @@ enum skb_drop_reason icmpv6_notify(struct sk_buff *skb, u8 type,
 	if (reason != SKB_NOT_DROPPED_YET)
 		goto out;
 
+	if (nexthdr == IPPROTO_RAW) {
+		/* Add a more specific reason later ? */
+		reason = SKB_DROP_REASON_NOT_SPECIFIED;
+		goto out;
+	}
+
 	/* BUGGG_FUTURE: we should try to parse exthdrs in this packet.
 	   Without this we will not able f.e. to make source routed
 	   pmtu discovery.
-- 
cgit 1.3-korg
719d3932b8f6

inet: RAW sockets using IPPROTO_RAW MUST drop incoming ICMP

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitEric Dumazetvia nvd-ref
commit
2 files changed · +16 5
  • net/ipv4/icmp.c+10 4 modified
    diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
index 4abbec2f47ef5..4acbbc703e798 100644
--- a/net/ipv4/icmp.c
+++ b/net/ipv4/icmp.c
@@ -1031,16 +1031,22 @@ static void icmp_socket_deliver(struct sk_buff *skb, u32 info)
 	/* Checkin full IP header plus 8 bytes of protocol to
 	 * avoid additional coding at protocol handlers.
 	 */
-	if (!pskb_may_pull(skb, iph->ihl * 4 + 8)) {
-		__ICMP_INC_STATS(dev_net_rcu(skb->dev), ICMP_MIB_INERRORS);
-		return;
-	}
+	if (!pskb_may_pull(skb, iph->ihl * 4 + 8))
+		goto out;
+
+	/* IPPROTO_RAW sockets are not supposed to receive anything. */
+	if (protocol == IPPROTO_RAW)
+		goto out;
 
 	raw_icmp_error(skb, protocol, info);
 
 	ipprot = rcu_dereference(inet_protos[protocol]);
 	if (ipprot && ipprot->err_handler)
 		ipprot->err_handler(skb, info);
+	return;
+
+out:
+	__ICMP_INC_STATS(dev_net_rcu(skb->dev), ICMP_MIB_INERRORS);
 }
 
 static bool icmp_tag_validation(int proto)
  • net/ipv6/icmp.c+6 1 modified
    diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c
index 9d37e7711bc2b..a77f3113ef23b 100644
--- a/net/ipv6/icmp.c
+++ b/net/ipv6/icmp.c
@@ -1066,6 +1066,12 @@ enum skb_drop_reason icmpv6_notify(struct sk_buff *skb, u8 type,
 	if (reason != SKB_NOT_DROPPED_YET)
 		goto out;
 
+	if (nexthdr == IPPROTO_RAW) {
+		/* Add a more specific reason later ? */
+		reason = SKB_DROP_REASON_NOT_SPECIFIED;
+		goto out;
+	}
+
 	/* BUGGG_FUTURE: we should try to parse exthdrs in this packet.
 	   Without this we will not able f.e. to make source routed
 	   pmtu discovery.
-- 
cgit 1.3-korg
db76b75ede38

inet: RAW sockets using IPPROTO_RAW MUST drop incoming ICMP

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitEric Dumazetvia nvd-ref
commit
2 files changed · +16 5
  • net/ipv4/icmp.c+10 4 modified
    diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
index b17549c4e5de8..f3cdfc09d7f06 100644
--- a/net/ipv4/icmp.c
+++ b/net/ipv4/icmp.c
@@ -840,16 +840,22 @@ static void icmp_socket_deliver(struct sk_buff *skb, u32 info)
 	/* Checkin full IP header plus 8 bytes of protocol to
 	 * avoid additional coding at protocol handlers.
 	 */
-	if (!pskb_may_pull(skb, iph->ihl * 4 + 8)) {
-		__ICMP_INC_STATS(dev_net_rcu(skb->dev), ICMP_MIB_INERRORS);
-		return;
-	}
+	if (!pskb_may_pull(skb, iph->ihl * 4 + 8))
+		goto out;
+
+	/* IPPROTO_RAW sockets are not supposed to receive anything. */
+	if (protocol == IPPROTO_RAW)
+		goto out;
 
 	raw_icmp_error(skb, protocol, info);
 
 	ipprot = rcu_dereference(inet_protos[protocol]);
 	if (ipprot && ipprot->err_handler)
 		ipprot->err_handler(skb, info);
+	return;
+
+out:
+	__ICMP_INC_STATS(dev_net_rcu(skb->dev), ICMP_MIB_INERRORS);
 }
 
 static bool icmp_tag_validation(int proto)
  • net/ipv6/icmp.c+6 1 modified
    diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c
index c7e815b7ca087..e9e457b7d4eac 100644
--- a/net/ipv6/icmp.c
+++ b/net/ipv6/icmp.c
@@ -869,6 +869,12 @@ enum skb_drop_reason icmpv6_notify(struct sk_buff *skb, u8 type,
 	if (reason != SKB_NOT_DROPPED_YET)
 		goto out;
 
+	if (nexthdr == IPPROTO_RAW) {
+		/* Add a more specific reason later ? */
+		reason = SKB_DROP_REASON_NOT_SPECIFIED;
+		goto out;
+	}
+
 	/* BUGGG_FUTURE: we should try to parse exthdrs in this packet.
 	   Without this we will not able f.e. to make source routed
 	   pmtu discovery.
-- 
cgit 1.3-korg

Vulnerability mechanics

Synthesis attempt was rejected by the grounding validator. Re-run pending.

References

5

News mentions

1