[PATCH] ipv6: check if dereference of ipv6 header is safe

public inbox for netdev@vger.kernel.org
 help / color / mirror / Atom feed

From: Hannes Frederic Sowa <hannes@stressinduktion.org>
To: netdev@vger.kernel.org
Subject: [PATCH] ipv6: check if dereference of ipv6 header is safe
Date: Thu, 17 Jan 2013 04:56:52 +0100	[thread overview]
Message-ID: <20130117035652.GB23782@order.stressinduktion.org> (raw)

When ipip6_rcv gets called we are sure that we have a full blown
ipv4 packet header in the linear skb buffer (this is checked by
xfrm4_mode_tunnel_input). Because we dereference fields of the inner
ipv6 header we should actually check for the length of the sum of the
ipv4 and ipv6 header.

If the skb is too short this packet could very well be destined for
another tunnel. So we should notify the caller accordingly (albeit
currently xfrm4_mode_tunnel_input does not care; this could need another
patch).

Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
---
 net/ipv6/sit.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
index 2b4c15a..389d6e3 100644
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -612,8 +612,8 @@ static int ipip6_rcv(struct sk_buff *skb)
 	struct ip_tunnel *tunnel;
 	int err;

-	if (!pskb_may_pull(skb, sizeof(struct ipv6hdr)))
-		goto out;
+	if (!pskb_may_pull(skb, sizeof(struct iphdr) + sizeof(struct ipv6hdr)))
+		return 1;

 	iph = ip_hdr(skb);

-- 
1.7.11.7

next             reply	other threads:[~2013-01-17  3:56 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-01-17  3:56 Hannes Frederic Sowa [this message]
2013-01-18  2:06 ` [PATCH] ipv6: check if dereference of ipv6 header is safe Hannes Frederic Sowa
2013-01-18  2:08   ` David Miller
2013-01-18  2:21   ` Eric Dumazet
2013-01-18  3:08     ` Hannes Frederic Sowa
2013-01-18 19:12       ` Eric Dumazet

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:2b4c15a dfblob:389d6e3 )
 OR (
bs:"[PATCH] ipv6: check if dereference of ipv6 header is safe" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20130117035652.GB23782@order.stressinduktion.org \
    --to=hannes@stressinduktion.org \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox