From 299ed8823f2f9be1515671eafa7dcde3a00bfd09 Mon Sep 17 00:00:00 2001
From: zhangqiumiao <zhangqiumiao1@huawei.com>
Date: Mon, 7 Jul 2025 17:22:13 +0800
Subject: [PATCH] ipvlan: Fix out-of-bounds caused by unclear skb->cb in I2e
 mode

openEuler inclusion
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I7GVI1
CVE: CVE-2023-3090

Reference: https://gitee.com/openeuler/kernel/commit/f49546d265363c51a232f28f2aede5b4240f7685

--------------------------------

We should clear skb->cb before ip_local_out or ip6_local_out in l2e mode too.

Fixes: 53f51b3cd1e4 ("ipvlan: Introduce l2e mode")
Co-developed-by: "t.feng" <fengtao40@huawei.com>
Signed-off-by: zhangqiumiao <zhangqiumiao1@huawei.com>
Signed-off-by: dongchenchen <dongchenchen2@huawei.com>
---
 drivers/net/ipvlan/ipvlan_core.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c
index 0a82752b28b5..57803d8196ed 100644
--- a/drivers/net/ipvlan/ipvlan_core.c
+++ b/drivers/net/ipvlan/ipvlan_core.c
@@ -578,6 +578,9 @@ static int ipvlan_process_v4_forward(struct sk_buff *skb)
 		goto err;
 	}
 	skb_dst_set(skb, &rt->dst);
+
+	memset(IPCB(skb), 0, sizeof(*IPCB(skb)));
+
 	err = ip_local_out(net, skb->sk, skb);
 	if (unlikely(net_xmit_eval(err)))
 		dev->stats.tx_errors++;
@@ -615,6 +618,9 @@ static int ipvlan_process_v6_forward(struct sk_buff *skb)
 		goto err;
 	}
 	skb_dst_set(skb, dst);
+
+	memset(IP6CB(skb), 0, sizeof(*IP6CB(skb)));
+
 	err = ip6_local_out(net, skb->sk, skb);
 	if (unlikely(net_xmit_eval(err)))
 		dev->stats.tx_errors++;
-- 
Gitee