From mboxrd@z Thu Jan  1 00:00:00 1970
From: Eric Dumazet <eric.dumazet@gmail.com>
Subject: Re: [PATCHv3 net 3/3] net: sched: ife: check on metadata length
Date: Thu, 19 Apr 2018 15:24:01 -0700
Message-ID: <cfa269fe-443c-3440-8b41-48b7d7a6fd3c@gmail.com>
References: <20180419221445.26205-1-aring@mojatatu.com>
 <20180419221445.26205-4-aring@mojatatu.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Cc: jhs@mojatatu.com, davem@davemloft.net, xiyou.wangcong@gmail.com,
        jiri@resnulli.us, yuvalm@mellanox.com, netdev@vger.kernel.org,
        kernel@mojatatu.com
To: Alexander Aring <aring@mojatatu.com>, yotam.gi@gmail.com
Return-path: <netdev-owner@vger.kernel.org>
Received: from mail-pg0-f66.google.com ([74.125.83.66]:38794 "EHLO
        mail-pg0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1753728AbeDSWYE (ORCPT
        <rfc822;netdev@vger.kernel.org>); Thu, 19 Apr 2018 18:24:04 -0400
Received: by mail-pg0-f66.google.com with SMTP id b5so3145237pgv.5
        for <netdev@vger.kernel.org>; Thu, 19 Apr 2018 15:24:04 -0700 (PDT)
In-Reply-To: <20180419221445.26205-4-aring@mojatatu.com>
Content-Language: en-US
Sender: netdev-owner@vger.kernel.org
List-ID: <netdev.vger.kernel.org>



On 04/19/2018 03:14 PM, Alexander Aring wrote:
> This patch checks if sk buffer is available to dererence ife header. If
> not then NULL will returned to signal an malformed ife packet. This
> avoids to crashing the kernel from outside.
> 
> Signed-off-by: Alexander Aring <aring@mojatatu.com>
> Reviewed-by: Yotam Gigi <yotam.gi@gmail.com>
> Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
> ---
>  net/ife/ife.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/net/ife/ife.c b/net/ife/ife.c
> index 7fbe70a0af4b..570a18d4ca32 100644
> --- a/net/ife/ife.c
> +++ b/net/ife/ife.c
> @@ -70,6 +70,9 @@ void *ife_decode(struct sk_buff *skb, u16 *metalen)
>  	u16 ifehdrln;
>  
>  	ifehdr = (struct ifeheadr *) (skb->data + skb->dev->hard_header_len);
> +	if (!pskb_may_pull(skb, skb->dev->hard_header_len + IFE_METAHDRLEN))
> +		return NULL;
> +



No, you need to move here :

       ifehdr = (struct ifeheadr *) (skb->data + skb->dev->hard_header_len);

>  	ifehdrln = ntohs(ifehdr->metalen);
>  	total_pull = skb->dev->hard_header_len + ifehdrln;
>  
> 


Please do not rush, wait one day before sending V4, no need to flood netdev@