From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Miller Subject: Re: [PATCH net v2] ipv6: the entire IPv6 header chain must fit the first fragment Date: Sun, 25 Mar 2018 21:18:03 -0400 (EDT) Message-ID: <20180325.211803.488689473146529035.davem@davemloft.net> References: <43638c155545c57a4b332c64771a1e9b0238148c.1521812678.git.pabeni@redhat.com> Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: netdev@vger.kernel.org, dsahern@gmail.com, syzbot+91e6f9932ff122fa4410@syzkaller.appspotmail.com, syzkaller-bugs@googlegroups.com, eric.dumazet@gmail.com To: pabeni@redhat.com Return-path: Received: from shards.monkeyblade.net ([184.105.139.130]:44390 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750832AbeCZBSF (ORCPT ); Sun, 25 Mar 2018 21:18:05 -0400 In-Reply-To: <43638c155545c57a4b332c64771a1e9b0238148c.1521812678.git.pabeni@redhat.com> Sender: netdev-owner@vger.kernel.org List-ID: From: Paolo Abeni Date: Fri, 23 Mar 2018 14:47:30 +0100 > While building ipv6 datagram we currently allow arbitrary large > extheaders, even beyond pmtu size. The syzbot has found a way > to exploit the above to trigger the following splat: ... > As stated by RFC 7112 section 5: > > When a host fragments an IPv6 datagram, it MUST include the entire > IPv6 Header Chain in the First Fragment. > > So this patch addresses the issue dropping datagrams with excessive > extheader length. It also updates the error path to report to the > calling socket nonnegative pmtu values. > > The issue apparently predates git history. > > v1 -> v2: cleanup error path, as per Eric's suggestion > > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") > Reported-by: syzbot+91e6f9932ff122fa4410@syzkaller.appspotmail.com > Signed-off-by: Paolo Abeni Applied and queued up for -stable.