From: Stefano Brivio <sbrivio@redhat.com>
To: Eric Dumazet <edumazet@google.com>
Cc: "David S . Miller" <davem@davemloft.net>,
netdev <netdev@vger.kernel.org>,
Eric Dumazet <eric.dumazet@gmail.com>,
syzbot <syzkaller@googlegroups.com>,
Sabrina Dubroca <sd@queasysnail.net>
Subject: Re: [PATCH net] fou, fou6: do not assume linear skbs
Date: Fri, 11 Jan 2019 15:15:07 +0100 [thread overview]
Message-ID: <20190111151507.393bab41@redhat.com> (raw)
In-Reply-To: <20190111125552.148871-1-edumazet@google.com>
On Fri, 11 Jan 2019 04:55:52 -0800
Eric Dumazet <edumazet@google.com> wrote:
> Both gue_err() and gue6_err() incorrectly assume
> linear skbs. Fix them to use pskb_may_pull().
Thanks for fixing this! I stupidly didn't suspect we could get
non-linear skbs there. Just two things:
> +++ b/net/ipv4/fou.c
> @@ -1020,10 +1020,11 @@ static int gue_err(struct sk_buff *skb, u32 info)
> {
> int transport_offset = skb_transport_offset(skb);
> struct guehdr *guehdr;
> - size_t optlen;
> + size_t len, optlen;
> int ret;
>
> - if (skb->len < sizeof(struct udphdr) + sizeof(struct guehdr))
> + len = sizeof(struct udphdr) + sizeof(struct guehdr);
> + if (!pskb_may_pull(skb, len))
> return -EINVAL;
>
> guehdr = (struct guehdr *)&udp_hdr(skb)[1];
> @@ -1058,6 +1059,10 @@ static int gue_err(struct sk_buff *skb, u32 info)
>
> optlen = guehdr->hlen << 2;
>
> + if (!pskb_may_pull(skb, len + optlen)
^ ) missing
> + return -EINVAL;
> +
> + guehdr = (struct guehdr *)&udp_hdr(skb)[1];
> if (validate_gue_flags(guehdr, optlen))
> return -EINVAL;
>
> diff --git a/net/ipv6/fou6.c b/net/ipv6/fou6.c
> index 7da7bf3b7fe3953eeb60addfffd6687c4da582c4..320413af4890641e7199d7d7102e7d8c2794d557 100644
> --- a/net/ipv6/fou6.c
> +++ b/net/ipv6/fou6.c
> @@ -90,10 +90,11 @@ static int gue6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
> {
> int transport_offset = skb_transport_offset(skb);
> struct guehdr *guehdr;
> - size_t optlen;
> + size_t len, optlen;
> int ret;
>
> - if (skb->len < sizeof(struct udphdr) + sizeof(struct guehdr))
> + len = sizeof(struct udphdr) + sizeof(struct guehdr);
> + if (!pskb_may_pull(skb, len))
> return -EINVAL;
>
> guehdr = (struct guehdr *)&udp_hdr(skb)[1];
> @@ -128,6 +129,10 @@ static int gue6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
>
> optlen = guehdr->hlen << 2;
>
> + if (!pskb_may_pull(skb, len + optlen)
^ ) missing
> + return -EINVAL;
> +
> + guehdr = (struct guehdr *)&udp_hdr(skb)[1];
> if (validate_gue_flags(guehdr, optlen))
> return -EINVAL;
>
--
Stefano
next prev parent reply other threads:[~2019-01-11 14:15 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-11 12:55 [PATCH net] fou, fou6: do not assume linear skbs Eric Dumazet
2019-01-11 14:15 ` Stefano Brivio [this message]
2019-01-11 14:20 ` Eric Dumazet
2019-01-11 14:23 ` Eric Dumazet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190111151507.393bab41@redhat.com \
--to=sbrivio@redhat.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=eric.dumazet@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=sd@queasysnail.net \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.