From mboxrd@z Thu Jan  1 00:00:00 1970
From: David Miller <davem@davemloft.net>
Subject: Re: [PATCH net] ipv6: fix udpv6 sendmsg crash caused by too small
 MTU
Date: Mon, 15 Jan 2018 13:30:26 -0500 (EST)
Message-ID: <20180115.133026.488063576165047709.davem@davemloft.net>
References: <20180110174510.138752-1-maloneykernel@gmail.com>
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Cc: netdev@vger.kernel.org, eric.dumazet@gmail.com, maloney@google.com
To: maloneykernel@gmail.com
Return-path: <netdev-owner@vger.kernel.org>
Received: from shards.monkeyblade.net ([184.105.139.130]:50198 "EHLO
        shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1750718AbeAOSa1 (ORCPT
        <rfc822;netdev@vger.kernel.org>); Mon, 15 Jan 2018 13:30:27 -0500
In-Reply-To: <20180110174510.138752-1-maloneykernel@gmail.com>
Sender: netdev-owner@vger.kernel.org
List-ID: <netdev.vger.kernel.org>

From: Mike Maloney <maloneykernel@gmail.com>
Date: Wed, 10 Jan 2018 12:45:10 -0500

> From: Mike Maloney <maloney@google.com>
> 
> The logic in __ip6_append_data() assumes that the MTU is at least large
> enough for the headers.  A device's MTU may be adjusted after being
> added while sendmsg() is processing data, resulting in
> __ip6_append_data() seeing any MTU.  For an mtu smaller than the size of
> the fragmentation header, the math results in a negative 'maxfraglen',
> which causes problems when refragmenting any previous skb in the
> skb_write_queue, leaving it possibly malformed.
> 
> Instead sendmsg returns EINVAL when the mtu is calculated to be less
> than IPV6_MIN_MTU.
 ...
> Reported-by: syzbot <syzkaller@googlegroups.com>
> Signed-off-by: Mike Maloney <maloney@google.com>

Applied and queued up for -stable, thank you.