[PATCH net v2 0/2] bareudp: Pull inner IP header on xmit/recv.

[PATCH net v2 0/2] bareudp: Pull inner IP header on xmit/recv.

[Guillaume Nault]

Bareudp accesses the inner IP header in its xmit and recv paths.
However it doesn't ensure that this header is part of skb->head.

Both vxlan and geneve have received fixes for similar problems in the
past. This series fixes bareudp using the same approach.

Guillaume Nault (2):
  bareudp: Pull inner IP header in bareudp_udp_encap_recv().
  bareudp: Pull inner IP header on xmit.

 drivers/net/bareudp.c | 26 ++++++++++++++++++++++++--
 1 file changed, 24 insertions(+), 2 deletions(-)

-- 
2.39.2

[PATCH net v2 1/2] bareudp: Pull inner IP header in bareudp_udp_encap_recv().

[Guillaume Nault]

Bareudp reads the inner IP header to get the ECN value. Therefore, it
needs to ensure that it's part of the skb's linear data.

This is similar to the vxlan and geneve fixes for that same problem:
  * commit f7789419137b ("vxlan: Pull inner IP header in vxlan_rcv().")
  * commit 1ca1ba465e55 ("geneve: make sure to pull inner header in
    geneve_rx()")

Fixes: 571912c69f0e ("net: UDP tunnel encapsulation module for tunnelling different protocols like MPLS, IP, NSH etc.")
Signed-off-by: Guillaume Nault <gnault@redhat.com>
---
v2: Add Fixes: tag.

 drivers/net/bareudp.c | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/drivers/net/bareudp.c b/drivers/net/bareudp.c
index 7aca0544fb29..b4e820a123ca 100644
--- a/drivers/net/bareudp.c
+++ b/drivers/net/bareudp.c
@@ -68,6 +68,7 @@ static int bareudp_udp_encap_recv(struct sock *sk, struct sk_buff *skb)
 	__be16 proto;
 	void *oiph;
 	int err;
+	int nh;
 
 	bareudp = rcu_dereference_sk_user_data(sk);
 	if (!bareudp)
@@ -148,10 +149,25 @@ static int bareudp_udp_encap_recv(struct sock *sk, struct sk_buff *skb)
 	}
 	skb_dst_set(skb, &tun_dst->dst);
 	skb->dev = bareudp->dev;
-	oiph = skb_network_header(skb);
-	skb_reset_network_header(skb);
 	skb_reset_mac_header(skb);
 
+	/* Save offset of outer header relative to skb->head,
+	 * because we are going to reset the network header to the inner header
+	 * and might change skb->head.
+	 */
+	nh = skb_network_header(skb) - skb->head;
+
+	skb_reset_network_header(skb);
+
+	if (!pskb_inet_may_pull(skb)) {
+		DEV_STATS_INC(bareudp->dev, rx_length_errors);
+		DEV_STATS_INC(bareudp->dev, rx_errors);
+		goto drop;
+	}
+
+	/* Get the outer header. */
+	oiph = skb->head + nh;
+
 	if (!ipv6_mod_enabled() || family == AF_INET)
 		err = IP_ECN_decapsulate(oiph, skb);
 	else
-- 
2.39.2

[PATCH net v2 2/2] bareudp: Pull inner IP header on xmit.

[Guillaume Nault]

Both bareudp_xmit_skb() and bareudp6_xmit_skb() read their skb's inner
IP header to get its ECN value (with ip_tunnel_ecn_encap()). Therefore
we need to ensure that the inner IP header is part of the skb's linear
data.

Fixes: 571912c69f0e ("net: UDP tunnel encapsulation module for tunnelling different protocols like MPLS, IP, NSH etc.")
Signed-off-by: Guillaume Nault <gnault@redhat.com>
---
v2: Add Fixes: tag.

 drivers/net/bareudp.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/net/bareudp.c b/drivers/net/bareudp.c
index b4e820a123ca..e80992b4f9de 100644
--- a/drivers/net/bareudp.c
+++ b/drivers/net/bareudp.c
@@ -317,6 +317,9 @@ static int bareudp_xmit_skb(struct sk_buff *skb, struct net_device *dev,
 	__be32 saddr;
 	int err;
 
+	if (!skb_vlan_inet_prepare(skb, skb->protocol != htons(ETH_P_TEB)))
+		return -EINVAL;
+
 	if (!sock)
 		return -ESHUTDOWN;
 
@@ -384,6 +387,9 @@ static int bareudp6_xmit_skb(struct sk_buff *skb, struct net_device *dev,
 	__be16 sport;
 	int err;
 
+	if (!skb_vlan_inet_prepare(skb, skb->protocol != htons(ETH_P_TEB)))
+		return -EINVAL;
+
 	if (!sock)
 		return -ESHUTDOWN;
 
-- 
2.39.2

Re: [PATCH net v2 1/2] bareudp: Pull inner IP header in bareudp_udp_encap_recv().

[Willem de Bruijn]

Guillaume Nault wrote:
> Bareudp reads the inner IP header to get the ECN value. Therefore, it
> needs to ensure that it's part of the skb's linear data.
> 
> This is similar to the vxlan and geneve fixes for that same problem:
>   * commit f7789419137b ("vxlan: Pull inner IP header in vxlan_rcv().")
>   * commit 1ca1ba465e55 ("geneve: make sure to pull inner header in
>     geneve_rx()")
> 
> Fixes: 571912c69f0e ("net: UDP tunnel encapsulation module for tunnelling different protocols like MPLS, IP, NSH etc.")
> Signed-off-by: Guillaume Nault <gnault@redhat.com>

Reviewed-by: Willem de Bruijn <willemb@google.com>

Re: [PATCH net v2 2/2] bareudp: Pull inner IP header on xmit.

[Willem de Bruijn]

Guillaume Nault wrote:
> Both bareudp_xmit_skb() and bareudp6_xmit_skb() read their skb's inner
> IP header to get its ECN value (with ip_tunnel_ecn_encap()). Therefore
> we need to ensure that the inner IP header is part of the skb's linear
> data.
> 
> Fixes: 571912c69f0e ("net: UDP tunnel encapsulation module for tunnelling different protocols like MPLS, IP, NSH etc.")
> Signed-off-by: Guillaume Nault <gnault@redhat.com>

Reviewed-by: Willem de Bruijn <willemb@google.com>

Re: [PATCH net v2 0/2] bareudp: Pull inner IP header on xmit/recv.

[patchwork-bot+netdevbpf]

Hello:

This series was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Wed, 11 Sep 2024 11:20:51 +0200 you wrote:
> Bareudp accesses the inner IP header in its xmit and recv paths.
> However it doesn't ensure that this header is part of skb->head.
> 
> Both vxlan and geneve have received fixes for similar problems in the
> past. This series fixes bareudp using the same approach.
> 
> Guillaume Nault (2):
>   bareudp: Pull inner IP header in bareudp_udp_encap_recv().
>   bareudp: Pull inner IP header on xmit.
> 
> [...]

Here is the summary with links:
  - [net,v2,1/2] bareudp: Pull inner IP header in bareudp_udp_encap_recv().
    https://git.kernel.org/netdev/net/c/45fa29c85117
  - [net,v2,2/2] bareudp: Pull inner IP header on xmit.
    https://git.kernel.org/netdev/net/c/c471236b2359

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html