From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Miller Subject: Re: [PATCH net] flow_dissector: properly cap thoff field Date: Thu, 18 Jan 2018 16:26:26 -0500 (EST) Message-ID: <20180118.162626.1790594555030528090.davem@davemloft.net> References: <1516227673.3606.16.camel@gmail.com> Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: netdev@vger.kernel.org, willemb@google.com To: eric.dumazet@gmail.com Return-path: Received: from shards.monkeyblade.net ([184.105.139.130]:58384 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750977AbeARV01 (ORCPT ); Thu, 18 Jan 2018 16:26:27 -0500 In-Reply-To: <1516227673.3606.16.camel@gmail.com> Sender: netdev-owner@vger.kernel.org List-ID: From: Eric Dumazet Date: Wed, 17 Jan 2018 14:21:13 -0800 > From: Eric Dumazet > > syzbot reported yet another crash [1] that is caused by > insufficient validation of DODGY packets. > > Two bugs are happening here to trigger the crash. > > 1) Flow dissection leaves with incorrect thoff field. > > 2) skb_probe_transport_header() sets transport header to this invalid > thoff, even if pointing after skb valid data. > > 3) qdisc_pkt_len_init() reads out-of-bound data because it > trusts tcp_hdrlen(skb) > > Possible fixes : > > - Full flow dissector validation before injecting bad DODGY packets in > the stack. > This approach was attempted here : https://patchwork.ozlabs.org/patch/ > 861874/ > > - Have more robust functions in the core. > This might be needed anyway for stable versions. > > This patch fixes the flow dissection issue. > > [1] ... > Fixes: 34fad54c2537 ("net: __skb_flow_dissect() must cap its return value") > Fixes: a6e544b0a88b ("flow_dissector: Jump to exit code in __skb_flow_dissect") > Signed-off-by: Eric Dumazet > Cc: Willem de Bruijn > Reported-by: syzbot Applied and queued up for -stable, thanks Eric.