From: Kuniyuki Iwashima <kuniyu@amazon.com>
To: "David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
David Ahern <dsahern@kernel.org>
Cc: Steffen Klassert <steffen.klassert@secunet.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
Willem de Bruijn <willemb@google.com>,
Kuniyuki Iwashima <kuniyu@amazon.com>,
Kuniyuki Iwashima <kuni1840@gmail.com>, <netdev@vger.kernel.org>
Subject: [PATCH v1 net 5/5] ip6_tunnel: Pull header after checking skb->protocol in ip6_tnl_start_xmit().
Date: Mon, 15 Apr 2024 15:20:41 -0700 [thread overview]
Message-ID: <20240415222041.18537-6-kuniyu@amazon.com> (raw)
In-Reply-To: <20240415222041.18537-1-kuniyu@amazon.com>
syzkaller demonstrated the underflow in pskb_network_may_pull()
by sending a crafted VLAN packet over tunnel devices: sit, ipip,
vti, and vti6.
The same warning will be triggered for ip6tnl, so let's check
skb->protocol before pulling the next header in ip6_tnl_start_xmit().
Fixes: cb9f1b783850 ("ip: validate header length on virtual device xmit")
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
---
net/ipv6/ip6_tunnel.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
index e9cc315832cb..81be7a5be6c5 100644
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -1424,14 +1424,17 @@ ip6_tnl_start_xmit(struct sk_buff *skb, struct net_device *dev)
u8 ipproto;
int ret;
- if (!pskb_inet_may_pull(skb))
- goto tx_err;
-
switch (skb->protocol) {
case htons(ETH_P_IP):
+ if (!pskb_network_may_pull(skb, sizeof(struct iphdr)))
+ goto tx_err;
+
ipproto = IPPROTO_IPIP;
break;
case htons(ETH_P_IPV6):
+ if (!pskb_network_may_pull(skb, sizeof(struct ipv6hdr)))
+ goto tx_err;
+
if (ip6_tnl_addr_conflict(t, ipv6_hdr(skb)))
goto tx_err;
ipproto = IPPROTO_IPV6;
--
2.30.2
prev parent reply other threads:[~2024-04-15 22:23 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-15 22:20 [PATCH v1 net 0/5] ip: Fix warning in pskb_may_pull_reason() for tunnel devices Kuniyuki Iwashima
2024-04-15 22:20 ` [PATCH v1 net 1/5] sit: Pull header after checking skb->protocol in sit_tunnel_xmit() Kuniyuki Iwashima
2024-04-18 2:04 ` Jakub Kicinski
2024-04-18 3:31 ` Kuniyuki Iwashima
2024-04-18 6:56 ` Eric Dumazet
2024-04-18 7:00 ` Eric Dumazet
2024-04-18 8:57 ` Paolo Abeni
2024-04-18 17:02 ` Kuniyuki Iwashima
2024-04-15 22:20 ` [PATCH v1 net 2/5] vti: Pull header after checking skb->protocol in vti_tunnel_xmit() Kuniyuki Iwashima
2024-04-15 22:20 ` [PATCH v1 net 3/5] ip6_vti: Pull header after checking skb->protocol in vti6_tnl_xmit() Kuniyuki Iwashima
2024-04-15 22:20 ` [PATCH v1 net 4/5] ipip: Pull header after checking skb->protocol in ipip_tunnel_xmit() Kuniyuki Iwashima
2024-04-15 22:20 ` Kuniyuki Iwashima [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240415222041.18537-6-kuniyu@amazon.com \
--to=kuniyu@amazon.com \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=herbert@gondor.apana.org.au \
--cc=kuba@kernel.org \
--cc=kuni1840@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=steffen.klassert@secunet.com \
--cc=willemb@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.