Re: [PATCH stable 4.4 06/11] ipv6: defrag: drop non-last frags smaller than min mtu

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Greg KH <gregkh@linux-foundation.org>
To: Mao Wenan <maowenan@huawei.com>
Cc: netdev@vger.kernel.org, eric.dumazet@gmail.com,
	davem@davemloft.net, stable@vger.kernel.org, edumazet@google.com
Subject: Re: [PATCH stable 4.4 06/11] ipv6: defrag: drop non-last frags smaller than min mtu
Date: Thu, 24 Jan 2019 19:31:03 +0100	[thread overview]
Message-ID: <20190124183103.GA18657@kroah.com> (raw)
In-Reply-To: <1548209986-83527-7-git-send-email-maowenan@huawei.com>

On Wed, Jan 23, 2019 at 10:19:41AM +0800, Mao Wenan wrote:
> From: Florian Westphal <fw@strlen.de>
> 
> [ Upstream commit 0ed4229b08c13c84a3c301a08defdc9e7f4467e6 ]
> 
> don't bother with pathological cases, they only waste cycles.
> IPv6 requires a minimum MTU of 1280 so we should never see fragments
> smaller than this (except last frag).
> 
> v3: don't use awkward "-offset + len"
> v2: drop IPv4 part, which added same check w. IPV4_MIN_MTU (68).
>     There were concerns that there could be even smaller frags
>     generated by intermediate nodes, e.g. on radio networks.
> 
> Cc: Peter Oskolkov <posk@google.com>
> Cc: Eric Dumazet <edumazet@google.com>
> Signed-off-by: Florian Westphal <fw@strlen.de>
> Signed-off-by: David S. Miller <davem@davemloft.net>
> Signed-off-by: Mao Wenan <maowenan@huawei.com>
> ---
>  net/ipv6/netfilter/nf_conntrack_reasm.c | 4 ++++
>  net/ipv6/reassembly.c                   | 4 ++++
>  2 files changed, 8 insertions(+)
> 
> diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
> index 9cd8863..c5033a2 100644
> --- a/net/ipv6/netfilter/nf_conntrack_reasm.c
> +++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
> @@ -602,6 +602,10 @@ struct sk_buff *nf_ct_frag6_gather(struct net *net, struct sk_buff *skb, u32 use
>  	hdr = ipv6_hdr(clone);
>  	fhdr = (struct frag_hdr *)skb_transport_header(clone);
>  
> +	if (skb->len - skb_network_offset(skb) < IPV6_MIN_MTU &&
> +	    fhdr->frag_off & htons(IP6_MF))
> +		return -EINVAL;

This backport is incorrect, you should be returning a pointer, right?

How did you test this?  This should have blown up under test :(

I'm going to drop this whole series.  Please fix it up and test it
properly and then resend.

thanks,

greg k-h

next prev parent reply	other threads:[~2019-01-24 18:31 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-01-23  2:19 [PATCH stable 4.4 00/11] fix FragmentSmack in stable branch (CVE-2018-5391) Mao Wenan
2019-01-23  2:19 ` [PATCH stable 4.4 01/11] net: speed up skb_rbtree_purge() Mao Wenan
2019-01-23  2:19 ` [PATCH stable 4.4 02/11] ip: discard IPv4 datagrams with overlapping segments Mao Wenan
2019-01-23  2:19 ` [PATCH stable 4.4 03/11] net: modify skb_rbtree_purge to return the truesize of all purged skbs Mao Wenan
2019-01-23  2:19 ` [PATCH stable 4.4 04/11] inet: frags: get rif of inet_frag_evicting() Mao Wenan
2019-01-23  2:19 ` [PATCH stable 4.4 05/11] ip: use rb trees for IP frag queue Mao Wenan
2019-01-24 17:58   ` Greg KH
2019-01-25  1:50     ` maowenan
2019-01-25  7:07       ` Greg KH
2019-01-25  8:12         ` maowenan
2019-01-23  2:19 ` [PATCH stable 4.4 06/11] ipv6: defrag: drop non-last frags smaller than min mtu Mao Wenan
2019-01-24 18:31   ` Greg KH [this message]
2019-01-25  2:24     ` maowenan
2019-01-23  2:19 ` [PATCH stable 4.4 07/11] ip: add helpers to process in-order fragments faster Mao Wenan
2019-01-23  2:19 ` [PATCH stable 4.4 08/11] ip: process in-order fragments efficiently Mao Wenan
2019-01-23  2:19 ` [PATCH stable 4.4 09/11] net: ipv4: do not handle duplicate fragments as overlapping Mao Wenan
2019-01-23  2:19 ` [PATCH stable 4.4 10/11] ip: frags: fix crash in ip_do_fragment() Mao Wenan
2019-01-23  2:19 ` [PATCH stable 4.4 11/11] ipv4: frags: precedence bug in ip_expire() Mao Wenan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190124183103.GA18657@kroah.com \
    --to=gregkh@linux-foundation.org \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=eric.dumazet@gmail.com \
    --cc=maowenan@huawei.com \
    --cc=netdev@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.