From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
Dmitry Vyukov <dvyukov@google.com>,
Willem de Bruijn <willemb@google.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.4 02/20] ipv6: fix ip6_tnl_parse_tlv_enc_lim()
Date: Thu, 16 Feb 2017 09:53:32 -0800 [thread overview]
Message-ID: <20170216175259.619574493@linuxfoundation.org> (raw)
In-Reply-To: <20170216175259.514980415@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit fbfa743a9d2a0ffa24251764f10afc13eb21e739 ]
This function suffers from multiple issues.
First one is that pskb_may_pull() may reallocate skb->head,
so the 'raw' pointer needs either to be reloaded or not used at all.
Second issue is that NEXTHDR_DEST handling does not validate
that the options are present in skb->data, so we might read
garbage or access non existent memory.
With help from Willem de Bruijn.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/ip6_tunnel.c | 34 ++++++++++++++++++++++------------
1 file changed, 22 insertions(+), 12 deletions(-)
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -479,18 +479,19 @@ ip6_tnl_dev_uninit(struct net_device *de
__u16 ip6_tnl_parse_tlv_enc_lim(struct sk_buff *skb, __u8 *raw)
{
- const struct ipv6hdr *ipv6h = (const struct ipv6hdr *) raw;
- __u8 nexthdr = ipv6h->nexthdr;
- __u16 off = sizeof(*ipv6h);
+ const struct ipv6hdr *ipv6h = (const struct ipv6hdr *)raw;
+ unsigned int nhoff = raw - skb->data;
+ unsigned int off = nhoff + sizeof(*ipv6h);
+ u8 next, nexthdr = ipv6h->nexthdr;
while (ipv6_ext_hdr(nexthdr) && nexthdr != NEXTHDR_NONE) {
- __u16 optlen = 0;
struct ipv6_opt_hdr *hdr;
- if (raw + off + sizeof(*hdr) > skb->data &&
- !pskb_may_pull(skb, raw - skb->data + off + sizeof (*hdr)))
+ u16 optlen;
+
+ if (!pskb_may_pull(skb, off + sizeof(*hdr)))
break;
- hdr = (struct ipv6_opt_hdr *) (raw + off);
+ hdr = (struct ipv6_opt_hdr *)(skb->data + off);
if (nexthdr == NEXTHDR_FRAGMENT) {
struct frag_hdr *frag_hdr = (struct frag_hdr *) hdr;
if (frag_hdr->frag_off)
@@ -501,20 +502,29 @@ __u16 ip6_tnl_parse_tlv_enc_lim(struct s
} else {
optlen = ipv6_optlen(hdr);
}
+ /* cache hdr->nexthdr, since pskb_may_pull() might
+ * invalidate hdr
+ */
+ next = hdr->nexthdr;
if (nexthdr == NEXTHDR_DEST) {
- __u16 i = off + 2;
+ u16 i = 2;
+
+ /* Remember : hdr is no longer valid at this point. */
+ if (!pskb_may_pull(skb, off + optlen))
+ break;
+
while (1) {
struct ipv6_tlv_tnl_enc_lim *tel;
/* No more room for encapsulation limit */
- if (i + sizeof (*tel) > off + optlen)
+ if (i + sizeof(*tel) > optlen)
break;
- tel = (struct ipv6_tlv_tnl_enc_lim *) &raw[i];
+ tel = (struct ipv6_tlv_tnl_enc_lim *) skb->data + off + i;
/* return index of option if found and valid */
if (tel->type == IPV6_TLV_TNL_ENCAP_LIMIT &&
tel->length == 1)
- return i;
+ return i + off - nhoff;
/* else jump to next option */
if (tel->type)
i += tel->length + 2;
@@ -522,7 +532,7 @@ __u16 ip6_tnl_parse_tlv_enc_lim(struct s
i++;
}
}
- nexthdr = hdr->nexthdr;
+ nexthdr = next;
off += optlen;
}
return 0;
next prev parent reply other threads:[~2017-02-16 18:08 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-16 17:53 [PATCH 4.4 00/20] 4.4.50-stable review Greg Kroah-Hartman
2017-02-16 17:53 ` [PATCH 4.4 01/20] can: Fix kernel panic at security_sock_rcv_skb Greg Kroah-Hartman
2017-02-16 17:53 ` Greg Kroah-Hartman [this message]
2017-02-16 17:53 ` [PATCH 4.4 03/20] ipv6: pointer math error in ip6_tnl_parse_tlv_enc_lim() Greg Kroah-Hartman
2017-02-16 17:53 ` [PATCH 4.4 04/20] tcp: fix 0 divide in __tcp_select_window() Greg Kroah-Hartman
2017-02-16 17:53 ` [PATCH 4.4 05/20] net: use a work queue to defer net_disable_timestamp() work Greg Kroah-Hartman
2017-02-16 17:53 ` [PATCH 4.4 06/20] ipv4: keep skb->dst around in presence of IP options Greg Kroah-Hartman
2017-02-16 17:53 ` [PATCH 4.4 07/20] netlabel: out of bound access in cipso_v4_validate() Greg Kroah-Hartman
2017-02-16 17:53 ` [PATCH 4.4 08/20] ip6_gre: fix ip6gre_err() invalid reads Greg Kroah-Hartman
2017-02-16 17:53 ` [PATCH 4.4 09/20] ipv6: tcp: add a missing tcp_v6_restore_cb() Greg Kroah-Hartman
2017-02-16 17:53 ` [PATCH 4.4 10/20] tcp: avoid infinite loop in tcp_splice_read() Greg Kroah-Hartman
2017-02-16 17:53 ` [PATCH 4.4 11/20] tun: read vnet_hdr_sz once Greg Kroah-Hartman
2017-02-16 17:53 ` [PATCH 4.4 12/20] macvtap: read vnet_hdr_size once Greg Kroah-Hartman
2017-02-16 17:53 ` [PATCH 4.4 13/20] mlx4: Invoke softirqs after napi_reschedule Greg Kroah-Hartman
2017-02-16 17:53 ` [PATCH 4.4 14/20] sctp: avoid BUG_ON on sctp_wait_for_sndbuf Greg Kroah-Hartman
2017-02-21 16:08 ` Ben Hutchings
2017-02-21 16:56 ` Marcelo
2017-02-21 19:54 ` Marcelo Ricardo Leitner
2017-02-21 19:54 ` Marcelo Ricardo Leitner
2017-02-16 17:53 ` [PATCH 4.4 15/20] sit: fix a double free on error path Greg Kroah-Hartman
2017-02-16 17:53 ` [PATCH 4.4 16/20] net: introduce device min_header_len Greg Kroah-Hartman
2017-02-16 17:53 ` [PATCH 4.4 17/20] packet: round up linear to header len Greg Kroah-Hartman
2017-02-16 17:53 ` [PATCH 4.4 18/20] ping: fix a null pointer dereference Greg Kroah-Hartman
2017-02-16 17:53 ` [PATCH 4.4 19/20] l2tp: do not use udp_ioctl() Greg Kroah-Hartman
2017-02-16 17:53 ` [PATCH 4.4 20/20] tcp: fix mark propagation with fwmark_reflect enabled Greg Kroah-Hartman
2017-02-17 10:37 ` [PATCH 4.4 00/20] 4.4.50-stable review Guenter Roeck
[not found] ` <58a74eeb.c910190a.1e315.c4dd@mx.google.com>
2017-02-17 23:43 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170216175259.619574493@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=dvyukov@google.com \
--cc=edumazet@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=willemb@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.