From mboxrd@z Thu Jan 1 00:00:00 1970 From: Paolo Abeni Subject: Re: [PATCH net] ip6_tunnel: be careful when accessing the inner header Date: Mon, 24 Sep 2018 13:03:17 +0200 Message-ID: References: <78ef06b7731007ff16b00962c58f36f87d689d65.1537362057.git.pabeni@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit Cc: Linux Kernel Network Developers , David Miller , Alexander Potapenko To: Cong Wang Return-path: Received: from mx1.redhat.com ([209.132.183.28]:45654 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727229AbeIXREv (ORCPT ); Mon, 24 Sep 2018 13:04:51 -0400 In-Reply-To: Sender: netdev-owner@vger.kernel.org List-ID: On Fri, 2018-09-21 at 11:51 -0700, Cong Wang wrote: > On Wed, Sep 19, 2018 at 6:04 AM Paolo Abeni wrote: > > diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c > > index 419960b0ba16..a0b6932c3afd 100644 > > --- a/net/ipv6/ip6_tunnel.c > > +++ b/net/ipv6/ip6_tunnel.c > > @@ -1234,7 +1234,7 @@ static inline int > > ip4ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev) > > { > > struct ip6_tnl *t = netdev_priv(dev); > > - const struct iphdr *iph = ip_hdr(skb); > > + const struct iphdr *iph; > > int encap_limit = -1; > > struct flowi6 fl6; > > __u8 dsfield; > > @@ -1242,6 +1242,11 @@ ip4ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev) > > u8 tproto; > > int err; > > > > + /* ensure we can access the full inner ip header */ > > + if (!pskb_may_pull(skb, sizeof(struct iphdr))) > > + return -1; > > + > > + iph = ip_hdr(skb); > > Hmm... > > How do IPv4 tunnels ensure they have the right inner header to access? > ip_tunnel_xmit() uses skb_inner_network_header() to access inner header > which doesn't have any check either AFAIK. You are right, I think we need similar checks for ip_tunnel_xmit(), too. I'll try to cook a patch. Cheers, Paolo