From: Greg KH <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk,
"Niccol� Belli" <darkbasic@linuxsystems.it>,
"Eric Dumazet" <eric.dumazet@gmail.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [ 16/41] ipsec: be careful of non existing mac headers
Date: Fri, 16 Mar 2012 16:38:26 -0700 [thread overview]
Message-ID: <20120316233812.045833021@linuxfoundation.org> (raw)
In-Reply-To: <20120316233829.GA14022@kroah.com>
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 3919 bytes --]
3.2-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <eric.dumazet@gmail.com>
[ Upstream commit 03606895cd98c0a628b17324fd7b5ff15db7e3cd ]
Niccolo Belli reported ipsec crashes in case we handle a frame without
mac header (atm in his case)
Before copying mac header, better make sure it is present.
Bugzilla reference: https://bugzilla.kernel.org/show_bug.cgi?id=42809
Reported-by: Niccolò Belli <darkbasic@linuxsystems.it>
Tested-by: Niccolò Belli <darkbasic@linuxsystems.it>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/skbuff.h | 10 ++++++++++
net/ipv4/xfrm4_mode_beet.c | 5 +----
net/ipv4/xfrm4_mode_tunnel.c | 6 ++----
net/ipv6/xfrm6_mode_beet.c | 6 +-----
net/ipv6/xfrm6_mode_tunnel.c | 6 ++----
5 files changed, 16 insertions(+), 17 deletions(-)
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -1453,6 +1453,16 @@ static inline void skb_set_mac_header(st
}
#endif /* NET_SKBUFF_DATA_USES_OFFSET */
+static inline void skb_mac_header_rebuild(struct sk_buff *skb)
+{
+ if (skb_mac_header_was_set(skb)) {
+ const unsigned char *old_mac = skb_mac_header(skb);
+
+ skb_set_mac_header(skb, -skb->mac_len);
+ memmove(skb_mac_header(skb), old_mac, skb->mac_len);
+ }
+}
+
static inline int skb_checksum_start_offset(const struct sk_buff *skb)
{
return skb->csum_start - skb_headroom(skb);
--- a/net/ipv4/xfrm4_mode_beet.c
+++ b/net/ipv4/xfrm4_mode_beet.c
@@ -110,10 +110,7 @@ static int xfrm4_beet_input(struct xfrm_
skb_push(skb, sizeof(*iph));
skb_reset_network_header(skb);
-
- memmove(skb->data - skb->mac_len, skb_mac_header(skb),
- skb->mac_len);
- skb_set_mac_header(skb, -skb->mac_len);
+ skb_mac_header_rebuild(skb);
xfrm4_beet_make_header(skb);
--- a/net/ipv4/xfrm4_mode_tunnel.c
+++ b/net/ipv4/xfrm4_mode_tunnel.c
@@ -66,7 +66,6 @@ static int xfrm4_mode_tunnel_output(stru
static int xfrm4_mode_tunnel_input(struct xfrm_state *x, struct sk_buff *skb)
{
- const unsigned char *old_mac;
int err = -EINVAL;
if (XFRM_MODE_SKB_CB(skb)->protocol != IPPROTO_IPIP)
@@ -84,10 +83,9 @@ static int xfrm4_mode_tunnel_input(struc
if (!(x->props.flags & XFRM_STATE_NOECN))
ipip_ecn_decapsulate(skb);
- old_mac = skb_mac_header(skb);
- skb_set_mac_header(skb, -skb->mac_len);
- memmove(skb_mac_header(skb), old_mac, skb->mac_len);
skb_reset_network_header(skb);
+ skb_mac_header_rebuild(skb);
+
err = 0;
out:
--- a/net/ipv6/xfrm6_mode_beet.c
+++ b/net/ipv6/xfrm6_mode_beet.c
@@ -80,7 +80,6 @@ static int xfrm6_beet_output(struct xfrm
static int xfrm6_beet_input(struct xfrm_state *x, struct sk_buff *skb)
{
struct ipv6hdr *ip6h;
- const unsigned char *old_mac;
int size = sizeof(struct ipv6hdr);
int err;
@@ -90,10 +89,7 @@ static int xfrm6_beet_input(struct xfrm_
__skb_push(skb, size);
skb_reset_network_header(skb);
-
- old_mac = skb_mac_header(skb);
- skb_set_mac_header(skb, -skb->mac_len);
- memmove(skb_mac_header(skb), old_mac, skb->mac_len);
+ skb_mac_header_rebuild(skb);
xfrm6_beet_make_header(skb);
--- a/net/ipv6/xfrm6_mode_tunnel.c
+++ b/net/ipv6/xfrm6_mode_tunnel.c
@@ -63,7 +63,6 @@ static int xfrm6_mode_tunnel_output(stru
static int xfrm6_mode_tunnel_input(struct xfrm_state *x, struct sk_buff *skb)
{
int err = -EINVAL;
- const unsigned char *old_mac;
if (XFRM_MODE_SKB_CB(skb)->protocol != IPPROTO_IPV6)
goto out;
@@ -80,10 +79,9 @@ static int xfrm6_mode_tunnel_input(struc
if (!(x->props.flags & XFRM_STATE_NOECN))
ipip6_ecn_decapsulate(skb);
- old_mac = skb_mac_header(skb);
- skb_set_mac_header(skb, -skb->mac_len);
- memmove(skb_mac_header(skb), old_mac, skb->mac_len);
skb_reset_network_header(skb);
+ skb_mac_header_rebuild(skb);
+
err = 0;
out:
WARNING: multiple messages have this Message-ID (diff)
From: Greg KH <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk,
"Niccol� Belli" <darkbasic@linuxsystems.it>,
"Eric Dumazet" <eric.dumazet@gmail.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [ 16/41] ipsec: be careful of non existing mac headers
Date: Fri, 16 Mar 2012 16:38:26 -0700 [thread overview]
Message-ID: <20120316233812.045833021@linuxfoundation.org> (raw)
In-Reply-To: <20120316233829.GA14022@kroah.com>
3.2-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <eric.dumazet@gmail.com>
[ Upstream commit 03606895cd98c0a628b17324fd7b5ff15db7e3cd ]
Niccolo Belli reported ipsec crashes in case we handle a frame without
mac header (atm in his case)
Before copying mac header, better make sure it is present.
Bugzilla reference: https://bugzilla.kernel.org/show_bug.cgi?id=42809
Reported-by: Niccol� Belli <darkbasic@linuxsystems.it>
Tested-by: Niccol� Belli <darkbasic@linuxsystems.it>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/skbuff.h | 10 ++++++++++
net/ipv4/xfrm4_mode_beet.c | 5 +----
net/ipv4/xfrm4_mode_tunnel.c | 6 ++----
net/ipv6/xfrm6_mode_beet.c | 6 +-----
net/ipv6/xfrm6_mode_tunnel.c | 6 ++----
5 files changed, 16 insertions(+), 17 deletions(-)
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -1453,6 +1453,16 @@ static inline void skb_set_mac_header(st
}
#endif /* NET_SKBUFF_DATA_USES_OFFSET */
+static inline void skb_mac_header_rebuild(struct sk_buff *skb)
+{
+ if (skb_mac_header_was_set(skb)) {
+ const unsigned char *old_mac = skb_mac_header(skb);
+
+ skb_set_mac_header(skb, -skb->mac_len);
+ memmove(skb_mac_header(skb), old_mac, skb->mac_len);
+ }
+}
+
static inline int skb_checksum_start_offset(const struct sk_buff *skb)
{
return skb->csum_start - skb_headroom(skb);
--- a/net/ipv4/xfrm4_mode_beet.c
+++ b/net/ipv4/xfrm4_mode_beet.c
@@ -110,10 +110,7 @@ static int xfrm4_beet_input(struct xfrm_
skb_push(skb, sizeof(*iph));
skb_reset_network_header(skb);
-
- memmove(skb->data - skb->mac_len, skb_mac_header(skb),
- skb->mac_len);
- skb_set_mac_header(skb, -skb->mac_len);
+ skb_mac_header_rebuild(skb);
xfrm4_beet_make_header(skb);
--- a/net/ipv4/xfrm4_mode_tunnel.c
+++ b/net/ipv4/xfrm4_mode_tunnel.c
@@ -66,7 +66,6 @@ static int xfrm4_mode_tunnel_output(stru
static int xfrm4_mode_tunnel_input(struct xfrm_state *x, struct sk_buff *skb)
{
- const unsigned char *old_mac;
int err = -EINVAL;
if (XFRM_MODE_SKB_CB(skb)->protocol != IPPROTO_IPIP)
@@ -84,10 +83,9 @@ static int xfrm4_mode_tunnel_input(struc
if (!(x->props.flags & XFRM_STATE_NOECN))
ipip_ecn_decapsulate(skb);
- old_mac = skb_mac_header(skb);
- skb_set_mac_header(skb, -skb->mac_len);
- memmove(skb_mac_header(skb), old_mac, skb->mac_len);
skb_reset_network_header(skb);
+ skb_mac_header_rebuild(skb);
+
err = 0;
out:
--- a/net/ipv6/xfrm6_mode_beet.c
+++ b/net/ipv6/xfrm6_mode_beet.c
@@ -80,7 +80,6 @@ static int xfrm6_beet_output(struct xfrm
static int xfrm6_beet_input(struct xfrm_state *x, struct sk_buff *skb)
{
struct ipv6hdr *ip6h;
- const unsigned char *old_mac;
int size = sizeof(struct ipv6hdr);
int err;
@@ -90,10 +89,7 @@ static int xfrm6_beet_input(struct xfrm_
__skb_push(skb, size);
skb_reset_network_header(skb);
-
- old_mac = skb_mac_header(skb);
- skb_set_mac_header(skb, -skb->mac_len);
- memmove(skb_mac_header(skb), old_mac, skb->mac_len);
+ skb_mac_header_rebuild(skb);
xfrm6_beet_make_header(skb);
--- a/net/ipv6/xfrm6_mode_tunnel.c
+++ b/net/ipv6/xfrm6_mode_tunnel.c
@@ -63,7 +63,6 @@ static int xfrm6_mode_tunnel_output(stru
static int xfrm6_mode_tunnel_input(struct xfrm_state *x, struct sk_buff *skb)
{
int err = -EINVAL;
- const unsigned char *old_mac;
if (XFRM_MODE_SKB_CB(skb)->protocol != IPPROTO_IPV6)
goto out;
@@ -80,10 +79,9 @@ static int xfrm6_mode_tunnel_input(struc
if (!(x->props.flags & XFRM_STATE_NOECN))
ipip6_ecn_decapsulate(skb);
- old_mac = skb_mac_header(skb);
- skb_set_mac_header(skb, -skb->mac_len);
- memmove(skb_mac_header(skb), old_mac, skb->mac_len);
skb_reset_network_header(skb);
+ skb_mac_header_rebuild(skb);
+
err = 0;
out:
next prev parent reply other threads:[~2012-03-16 23:47 UTC|newest]
Thread overview: 71+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-03-16 23:38 [ 00/41] 3.2.12-stable review Greg KH
2012-03-16 23:38 ` [ 01/41] ASoC: neo1973: fix neo1973 wm8753 initialization Greg KH
2012-03-16 23:38 ` [ 02/41] ALSA: hda/realtek - Apply the coef-setup only to ALC269VB Greg KH
2012-03-16 23:38 ` [ 03/41] aio: fix io_setup/io_destroy race Greg KH
2012-03-16 23:38 ` [ 04/41] aio: fix the "too late munmap()" race Greg KH
2012-03-16 23:38 ` [ 05/41] x86: Derandom delay_tsc for 64 bit Greg KH
2012-03-16 23:38 ` [ 06/41] PCI: ignore pre-1.1 ASPM quirking when ASPM is disabled Greg KH
2012-03-31 3:23 ` Ken Moffat
2012-03-31 3:33 ` Jonathan Nieder
2012-03-31 18:20 ` Linus Torvalds
2012-03-31 18:20 ` Linus Torvalds
2012-03-31 18:32 ` Matthew Garrett
2012-03-31 18:32 ` Matthew Garrett
2012-04-19 23:21 ` Ken Moffat
2012-04-01 16:11 ` Ken Moffat
2012-04-01 16:11 ` Ken Moffat
2012-04-01 16:59 ` Linus Torvalds
2012-04-01 16:59 ` Linus Torvalds
2012-04-01 17:10 ` Greg KH
2012-04-01 17:10 ` Greg KH
2012-04-02 20:27 ` Ken Moffat
2012-04-02 20:27 ` Ken Moffat
2012-03-16 23:38 ` [ 07/41] [media] omap3isp: ccdc: Fix crash in HS/VS interrupt handler Greg KH
2012-03-16 23:38 ` [ 08/41] rt2x00: fix random stalls Greg KH
2012-03-16 23:38 ` [ 09/41] perf/x86: Fix local vs remote memory events for NHM/WSM Greg KH
2012-03-16 23:38 ` [ 10/41] CIFS: Do not kmalloc under the flocks spinlock Greg KH
2012-03-17 2:37 ` Ben Hutchings
2012-03-17 6:14 ` Pavel Shilovsky
2012-03-17 6:14 ` Pavel Shilovsky
2012-03-17 7:32 ` Ben Hutchings
2012-03-17 7:52 ` Pavel Shilovsky
2012-03-17 7:52 ` Pavel Shilovsky
2012-03-19 15:50 ` Greg KH
2012-03-19 19:11 ` Pavel Shilovsky
2012-03-19 19:11 ` Pavel Shilovsky
2012-03-19 19:24 ` Greg KH
2012-03-23 17:52 ` Greg KH
2012-03-16 23:38 ` [ 11/41] vfs: fix return value from do_last() Greg KH
2012-03-16 23:38 ` [ 12/41] vfs: fix double put after complete_walk() Greg KH
2012-03-16 23:38 ` [ 13/41] acer-wmi: No wifi rfkill on Lenovo machines Greg KH
2012-03-16 23:38 ` [ 14/41] atl1c: dont use highprio tx queue Greg KH
2012-03-16 23:38 ` [ 15/41] neighbour: Fixed race condition at tbl->nht Greg KH
2012-03-16 23:38 ` Greg KH [this message]
2012-03-16 23:38 ` [ 16/41] ipsec: be careful of non existing mac headers Greg KH
2012-03-16 23:38 ` [ 17/41] ppp: fix ppp_mp_reconstruct bad seq errors Greg KH
2012-03-16 23:38 ` [ 18/41] sfc: Fix assignment of ip_summed for pre-allocated skbs Greg KH
2012-03-16 23:38 ` [ 19/41] tcp: fix false reordering signal in tcp_shifted_skb Greg KH
2012-03-16 23:38 ` [ 20/41] vmxnet3: Fix transport header size Greg KH
2012-03-16 23:38 ` [ 21/41] packetengines: fix config default Greg KH
2012-03-16 23:38 ` [ 22/41] r8169: corrupted IP fragments fix for large mtu Greg KH
2012-03-16 23:38 ` Greg KH
2012-03-16 23:38 ` [ 23/41] tcp: dont fragment SACKed skbs in tcp_mark_head_lost() Greg KH
2012-03-16 23:38 ` Greg KH
2012-03-16 23:38 ` [ 24/41] bridge: check return value of ipv6_dev_get_saddr() Greg KH
2012-03-16 23:38 ` [ 25/41] tcp: fix tcp_shift_skb_data() to not shift SACKed data below snd_una Greg KH
2012-03-16 23:38 ` [ 26/41] IPv6: Fix not join all-router mcast group when forwarding set Greg KH
2012-03-16 23:38 ` [ 27/41] usb: asix: Patch for Sitecom LN-031 Greg KH
2012-03-16 23:38 ` [ 28/41] regulator: Fix setting selector in tps6524x set_voltage function Greg KH
2012-03-16 23:38 ` [ 29/41] block: Fix NULL pointer dereference in sd_revalidate_disk Greg KH
2012-03-16 23:38 ` [ 30/41] block, sx8: fix pointer math issue getting fw version Greg KH
2012-03-16 23:38 ` [ 31/41] block: fix __blkdev_get and add_disk race condition Greg KH
2012-03-16 23:38 ` [ 32/41] Block: use a freezable workqueue for disk-event polling Greg KH
2012-03-16 23:38 ` [ 33/41] sparc32: Add -Av8 to assembler command line Greg KH
2012-03-16 23:38 ` [ 34/41] hwmon: (w83627ehf) Fix writing into fan_stop_time for NCT6775F/NCT6776F Greg KH
2012-03-16 23:38 ` [ 35/41] hwmon: (w83627ehf) Fix memory leak in probe function Greg KH
2012-03-16 23:38 ` [ 36/41] hwmon: (w83627ehf) Fix temp2 source for W83627UHG Greg KH
2012-03-16 23:38 ` [ 37/41] rapidio/tsi721: fix bug in register offset definitions Greg KH
2012-03-16 23:38 ` [ 38/41] i2c-algo-bit: Fix spurious SCL timeouts under heavy load Greg KH
2012-03-16 23:38 ` [ 39/41] iscsi-target: Fix reservation conflict -EBUSY response handling bug Greg KH
2012-03-16 23:38 ` [ 40/41] target: Fix compatible reservation handling (CRH=1) with legacy RESERVE/RELEASE Greg KH
2012-03-16 23:38 ` [ 41/41] hwmon: (zl6100) Enable interval between chip accesses for all chips Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120316233812.045833021@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=darkbasic@linuxsystems.it \
--cc=davem@davemloft.net \
--cc=eric.dumazet@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.