[PATCH] net: clear IP defragmentation state after returning a complete packet

[Mateusz Furdyna]

During the IP defragmentation process, after the reassembly is finished
with the last packet arriving with MF=0, the reassembly state wrt.
static counters is not cleared. In case this last arriving packet with
MF=0 gets duplicated, payload bytes are mistakingly treated as hole data.

A malicious actor who can deliver fragmented IP traffic to a U-Boot
instance with CONFIG_IP_DEFRAG=y can corrupt memory via out-of-bound
writes and redirect control flow into attacker-supplied payload bytes
that already sit in `pkt_buff[]`.

Publicly available AI models are able to generate a reproducer based
on the provided information.

Fix: once the assembled packet has been handed back to the caller, mark
the reassembly state empty so that any further fragment (duplicate,
replay, or a brand-new datagram that happens to reuse the `ip_id`) goes
through the normal re-init path and rebuilds a clean hole list instead
of dereferencing payload bytes as struct hole.

Fixes: 5cfaa4e54d0e ("net: defragment IP packets")
Reported-by: Mariusz Madej <mariusz.madej at nokia.com>
Signed-off-by: Mateusz Furdyna <mateusz.furdyna at nokia.com>
---
 net/net.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/net/net.c b/net/net.c
index ae3b977781f..caaee3ff30c 100644
--- a/net/net.c
+++ b/net/net.c
@@ -1103,6 +1103,14 @@ static struct ip_udp_hdr *__net_defragment(struct ip_udp_hdr *ip, int *lenp)
 
 	*lenp = total_len + IP_HDR_SIZE;
 	localip->ip_len = htons(*lenp);
+
+	/* Mark the reassembly state empty so that any further
+	 * fragment goes through the normal re-init path and
+	 * rebuilds a clean hole list
+	 */
+	total_len = 0;
+	first_hole = 0;
+
 	return localip;
 }
 

---
base-commit: 30b77f6aa146c96b831cb4ece038130b655b6a41
change-id: 20260530-ip_defrag-130c345dd9db

Best regards,
--  
Mateusz Furdyna <mateusz.furdyna at nokia.com>