[PATCH net 2/2] net: add more sanity checks to qdisc_pkt_len_init()

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Eric Dumazet <edumazet@google.com>
To: "David S . Miller" <davem@davemloft.net>,
	Jakub Kicinski <kuba@kernel.org>,
	 Paolo Abeni <pabeni@redhat.com>
Cc: David Ahern <dsahern@kernel.org>,
	netdev@vger.kernel.org,  Willem de Bruijn <willemb@google.com>,
	Jonathan Davies <jonathan.davies@nutanix.com>,
	eric.dumazet@gmail.com,  Eric Dumazet <edumazet@google.com>
Subject: [PATCH net 2/2] net: add more sanity checks to qdisc_pkt_len_init()
Date: Tue, 24 Sep 2024 15:02:57 +0000	[thread overview]
Message-ID: <20240924150257.1059524-3-edumazet@google.com> (raw)
In-Reply-To: <20240924150257.1059524-1-edumazet@google.com>

One path takes care of SKB_GSO_DODGY, assuming
skb->len is bigger than hdr_len.

virtio_net_hdr_to_skb() does not fully dissect TCP headers,
it only make sure it is at least 20 bytes.

It is possible for an user to provide a malicious 'GSO' packet,
total length of 80 bytes.

- 20 bytes of IPv4 header
- 60 bytes TCP header
- a small gso_size like 8

virtio_net_hdr_to_skb() would declare this packet as a normal
GSO packet, because it would see 40 bytes of payload,
bigger than gso_size.

We need to make detect this case to not underflow
qdisc_skb_cb(skb)->pkt_len.

Fixes: 1def9238d4aa ("net_sched: more precise pkt_len computation")
Signed-off-by: Eric Dumazet <edumazet@google.com>
---
 net/core/dev.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/net/core/dev.c b/net/core/dev.c
index f2c47da79f17d5ebe6b334b63d66c84c84c519fc..35b8bcfb209bd274c81380eaf6e445641306b018 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -3766,10 +3766,14 @@ static void qdisc_pkt_len_init(struct sk_buff *skb)
 				hdr_len += sizeof(struct udphdr);
 		}
 
-		if (shinfo->gso_type & SKB_GSO_DODGY)
-			gso_segs = DIV_ROUND_UP(skb->len - hdr_len,
-						shinfo->gso_size);
+		if (unlikely(shinfo->gso_type & SKB_GSO_DODGY)) {
+			int payload = skb->len - hdr_len;
 
+			/* Malicious packet. */
+			if (payload <= 0)
+				return;
+			gso_segs = DIV_ROUND_UP(payload, shinfo->gso_size);
+		}
 		qdisc_skb_cb(skb)->pkt_len += (gso_segs - 1) * hdr_len;
 	}
 }
-- 
2.46.0.792.g87dc391469-goog

next prev parent reply	other threads:[~2024-09-24 15:03 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-09-24 15:02 [PATCH net 0/2] net: two fixes for qdisc_pkt_len_init() Eric Dumazet
2024-09-24 15:02 ` [PATCH net 1/2] net: avoid potential underflow in qdisc_pkt_len_init() with UFO Eric Dumazet
2024-09-26  9:07   ` Willem de Bruijn
2024-09-26 18:00   ` Jonathan Davies
2024-09-24 15:02 ` Eric Dumazet [this message]
2024-09-25 17:51   ` [PATCH net 2/2] net: add more sanity checks to qdisc_pkt_len_init() Joe Damato
2024-09-25 18:00     ` Eric Dumazet
2024-09-25 18:24       ` Joe Damato
2024-09-25 18:27         ` Stephen Hemminger
2024-09-25 18:55         ` Eric Dumazet
2024-09-25 19:01           ` Eric Dumazet
2024-09-25 19:15             ` Joe Damato
2024-09-25 19:07           ` Joe Damato
2024-09-25 19:08             ` Eric Dumazet
2024-09-26  9:13   ` Willem de Bruijn
2024-09-26  9:17     ` Willem de Bruijn
2024-09-26  9:19       ` Eric Dumazet
2024-10-01  9:57         ` Paolo Abeni
2024-09-26  2:26 ` [PATCH net 0/2] net: two fixes for qdisc_pkt_len_init() David Ahern
2024-10-01 10:10 ` patchwork-bot+netdevbpf

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:f2c47da79f17d5ebe6b334b63d66c84c84c519f
dfblob:35b8bcfb209bd274c81380eaf6e445641306b01 )
 OR (
bs:"[PATCH net 2/2] net: add more sanity checks to qdisc_pkt_len_init()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240924150257.1059524-3-edumazet@google.com \
    --to=edumazet@google.com \
    --cc=davem@davemloft.net \
    --cc=dsahern@kernel.org \
    --cc=eric.dumazet@gmail.com \
    --cc=jonathan.davies@nutanix.com \
    --cc=kuba@kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=willemb@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).