[PATCH net] ipv6: accept 64k - 1 packet length in ip6_find

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH net] ipv6: accept 64k - 1 packet length in ip6_find_1stfragopt()
@ 2017-08-18 12:40 Stefano Brivio
  2017-08-22 17:23 ` David Miller
  0 siblings, 1 reply; 2+ messages in thread
From: Stefano Brivio @ 2017-08-18 12:40 UTC (permalink / raw)
  To: netdev; +Cc: Sabrina Dubroca, Hannes Frederic Sowa

A packet length of exactly IPV6_MAXPLEN is allowed, we should
refuse parsing options only if the size is 64KiB or more.

While at it, remove one extra variable and one assignment which
were also introduced by the commit that introduced the size
check. Checking the sum 'offset + len' and only later adding
'len' to 'offset' doesn't provide any advantage over directly
summing to 'offset' and checking it.

Fixes: 6399f1fae4ec ("ipv6: avoid overflow of offset in ip6_find_1stfragopt")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
 net/ipv6/output_core.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c
index abb2c307fbe8..a338bbc33cf3 100644
--- a/net/ipv6/output_core.c
+++ b/net/ipv6/output_core.c
@@ -86,7 +86,6 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
 
 	while (offset <= packet_len) {
 		struct ipv6_opt_hdr *exthdr;
-		unsigned int len;
 
 		switch (**nexthdr) {
 
@@ -112,10 +111,9 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
 
 		exthdr = (struct ipv6_opt_hdr *)(skb_network_header(skb) +
 						 offset);
-		len = ipv6_optlen(exthdr);
-		if (len + offset >= IPV6_MAXPLEN)
+		offset += ipv6_optlen(exthdr);
+		if (offset > IPV6_MAXPLEN)
 			return -EINVAL;
-		offset += len;
 		*nexthdr = &exthdr->nexthdr;
 	}
 
-- 
2.9.4

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH net] ipv6: accept 64k - 1 packet length in ip6_find_1stfragopt()
  2017-08-18 12:40 [PATCH net] ipv6: accept 64k - 1 packet length in ip6_find_1stfragopt() Stefano Brivio
@ 2017-08-22 17:23 ` David Miller
  0 siblings, 0 replies; 2+ messages in thread
From: David Miller @ 2017-08-22 17:23 UTC (permalink / raw)
  To: sbrivio; +Cc: netdev, sd, hannes

From: Stefano Brivio <sbrivio@redhat.com>
Date: Fri, 18 Aug 2017 14:40:53 +0200

> A packet length of exactly IPV6_MAXPLEN is allowed, we should
> refuse parsing options only if the size is 64KiB or more.
> 
> While at it, remove one extra variable and one assignment which
> were also introduced by the commit that introduced the size
> check. Checking the sum 'offset + len' and only later adding
> 'len' to 'offset' doesn't provide any advantage over directly
> summing to 'offset' and checking it.
> 
> Fixes: 6399f1fae4ec ("ipv6: avoid overflow of offset in ip6_find_1stfragopt")
> Signed-off-by: Stefano Brivio <sbrivio@redhat.com>

Applied, thanks.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2017-08-22 17:23 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-08-18 12:40 [PATCH net] ipv6: accept 64k - 1 packet length in ip6_find_1stfragopt() Stefano Brivio
2017-08-22 17:23 ` David Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).