From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Miller Subject: Re: [PATCH net] ip6_tunnel: be careful when accessing the inner header Date: Wed, 19 Sep 2018 21:25:04 -0700 (PDT) Message-ID: <20180919.212504.1074082892099388965.davem@davemloft.net> References: <78ef06b7731007ff16b00962c58f36f87d689d65.1537362057.git.pabeni@redhat.com> Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: netdev@vger.kernel.org, glider@google.com To: pabeni@redhat.com Return-path: Received: from shards.monkeyblade.net ([23.128.96.9]:34442 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726056AbeITKG1 (ORCPT ); Thu, 20 Sep 2018 06:06:27 -0400 In-Reply-To: <78ef06b7731007ff16b00962c58f36f87d689d65.1537362057.git.pabeni@redhat.com> Sender: netdev-owner@vger.kernel.org List-ID: From: Paolo Abeni Date: Wed, 19 Sep 2018 15:02:07 +0200 > the ip6 tunnel xmit ndo assumes that the processed skb always > contains an ip[v6] header, but syzbot has found a way to send > frames that fall short of this assumption, leading to the following splat: ... > This change addresses the issue adding the needed check before > accessing the inner header. > > The ipv4 side of the issue is apparently there since the ipv4 over ipv6 > initial support, and the ipv6 side predates git history. > > Fixes: c4d3efafcc93 ("[IPV6] IP6TUNNEL: Add support to IPv4 over IPv6 tunnel.") > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") > Reported-by: syzbot+3fde91d4d394747d6db4@syzkaller.appspotmail.com > Tested-by: Alexander Potapenko > Signed-off-by: Paolo Abeni Applied and queued up for -stable.