From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Sabrina Dubroca <sd@queasysnail.net>,
Steffen Klassert <steffen.klassert@secunet.com>,
Sasha Levin <sashal@kernel.org>,
netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.14 04/16] esp4: add length check for UDP encapsulation
Date: Thu, 16 May 2019 07:40:55 -0400 [thread overview]
Message-ID: <20190516114107.8963-4-sashal@kernel.org> (raw)
In-Reply-To: <20190516114107.8963-1-sashal@kernel.org>
From: Sabrina Dubroca <sd@queasysnail.net>
[ Upstream commit 8dfb4eba4100e7cdd161a8baef2d8d61b7a7e62e ]
esp_output_udp_encap can produce a length that doesn't fit in the 16
bits of a UDP header's length field. In that case, we'll send a
fragmented packet whose length is larger than IP_MAX_MTU (resulting in
"Oversized IP packet" warnings on receive) and with a bogus UDP
length.
To prevent this, add a length check to esp_output_udp_encap and return
-EMSGSIZE on failure.
This seems to be older than git history.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/esp4.c | 20 +++++++++++++++-----
1 file changed, 15 insertions(+), 5 deletions(-)
diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
index d30285c5d52dd..c8e32f167ebbf 100644
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -205,7 +205,7 @@ static void esp_output_fill_trailer(u8 *tail, int tfclen, int plen, __u8 proto)
tail[plen - 1] = proto;
}
-static void esp_output_udp_encap(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *esp)
+static int esp_output_udp_encap(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *esp)
{
int encap_type;
struct udphdr *uh;
@@ -213,6 +213,7 @@ static void esp_output_udp_encap(struct xfrm_state *x, struct sk_buff *skb, stru
__be16 sport, dport;
struct xfrm_encap_tmpl *encap = x->encap;
struct ip_esp_hdr *esph = esp->esph;
+ unsigned int len;
spin_lock_bh(&x->lock);
sport = encap->encap_sport;
@@ -220,11 +221,14 @@ static void esp_output_udp_encap(struct xfrm_state *x, struct sk_buff *skb, stru
encap_type = encap->encap_type;
spin_unlock_bh(&x->lock);
+ len = skb->len + esp->tailen - skb_transport_offset(skb);
+ if (len + sizeof(struct iphdr) >= IP_MAX_MTU)
+ return -EMSGSIZE;
+
uh = (struct udphdr *)esph;
uh->source = sport;
uh->dest = dport;
- uh->len = htons(skb->len + esp->tailen
- - skb_transport_offset(skb));
+ uh->len = htons(len);
uh->check = 0;
switch (encap_type) {
@@ -241,6 +245,8 @@ static void esp_output_udp_encap(struct xfrm_state *x, struct sk_buff *skb, stru
*skb_mac_header(skb) = IPPROTO_UDP;
esp->esph = esph;
+
+ return 0;
}
int esp_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *esp)
@@ -254,8 +260,12 @@ int esp_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *
int tailen = esp->tailen;
/* this is non-NULL only with UDP Encapsulation */
- if (x->encap)
- esp_output_udp_encap(x, skb, esp);
+ if (x->encap) {
+ int err = esp_output_udp_encap(x, skb, esp);
+
+ if (err < 0)
+ return err;
+ }
if (!skb_cloned(skb)) {
if (tailen <= skb_tailroom(skb)) {
--
2.20.1
next prev parent reply other threads:[~2019-05-16 11:44 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-16 11:40 [PATCH AUTOSEL 4.14 01/16] xfrm: policy: Fix out-of-bound array accesses in __xfrm_policy_unlink Sasha Levin
2019-05-16 11:40 ` [PATCH AUTOSEL 4.14 02/16] xfrm6_tunnel: Fix potential panic when unloading xfrm6_tunnel module Sasha Levin
2019-05-16 11:40 ` [PATCH AUTOSEL 4.14 03/16] vti4: ipip tunnel deregistration fixes Sasha Levin
2019-05-16 11:40 ` Sasha Levin [this message]
2019-05-16 11:40 ` [PATCH AUTOSEL 4.14 05/16] xfrm4: Fix uninitialized memory read in _decode_session4 Sasha Levin
2019-05-16 11:40 ` [PATCH AUTOSEL 4.14 06/16] power: supply: cpcap-battery: Fix division by zero Sasha Levin
2019-05-19 21:31 ` Pavel Machek
2019-05-16 11:40 ` [PATCH AUTOSEL 4.14 07/16] securityfs: fix use-after-free on symlink traversal Sasha Levin
2019-05-16 11:40 ` [PATCH AUTOSEL 4.14 08/16] apparmorfs: " Sasha Levin
2019-05-16 11:41 ` [PATCH AUTOSEL 4.14 09/16] mac80211: Fix kernel panic due to use of txq after free Sasha Levin
2019-05-16 11:41 ` [PATCH AUTOSEL 4.14 10/16] KVM: arm/arm64: Ensure vcpu target is unset on reset failure Sasha Levin
2019-05-16 11:41 ` Sasha Levin
2019-05-16 11:41 ` [PATCH AUTOSEL 4.14 11/16] power: supply: sysfs: prevent endless uevent loop with CONFIG_POWER_SUPPLY_DEBUG Sasha Levin
2019-05-16 11:41 ` [PATCH AUTOSEL 4.14 12/16] iwlwifi: mvm: check for length correctness in iwl_mvm_create_skb() Sasha Levin
2019-05-16 11:41 ` [PATCH AUTOSEL 4.14 13/16] sched/cpufreq: Fix kobject memleak Sasha Levin
2019-05-16 11:41 ` [PATCH AUTOSEL 4.14 14/16] x86/mm/mem_encrypt: Disable all instrumentation for early SME setup Sasha Levin
2019-05-16 11:41 ` [PATCH AUTOSEL 4.14 15/16] ufs: fix braino in ufs_get_inode_gid() for solaris UFS flavour Sasha Levin
2019-05-16 11:41 ` [PATCH AUTOSEL 4.14 16/16] perf bench numa: Add define for RUSAGE_THREAD if not present Sasha Levin
2019-05-16 11:41 ` Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190516114107.8963-4-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=sd@queasysnail.net \
--cc=stable@vger.kernel.org \
--cc=steffen.klassert@secunet.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.