Patch "xfrm6: Fix IPv6 payload_len in xfrm6_transport_finish" has been added to the 4.11-stable tree

public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed

* Patch "xfrm6: Fix IPv6 payload_len in xfrm6_transport_finish" has been added to the 4.11-stable tree
@ 2017-07-03 11:51 gregkh
  0 siblings, 0 replies; only message in thread
From: gregkh @ 2017-07-03 11:51 UTC (permalink / raw)
  To: yossiku, gregkh, steffen.klassert; +Cc: stable, stable-commits


This is a note to let you know that I've just added the patch titled

    xfrm6: Fix IPv6 payload_len in xfrm6_transport_finish

to the 4.11-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     xfrm6-fix-ipv6-payload_len-in-xfrm6_transport_finish.patch
and it can be found in the queue-4.11 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From 7c88e21aefcf86fb41b48b2e04528db5a30fbe18 Mon Sep 17 00:00:00 2001
From: Yossi Kuperman <yossiku@mellanox.com>
Date: Thu, 22 Jun 2017 11:37:10 +0300
Subject: xfrm6: Fix IPv6 payload_len in xfrm6_transport_finish

From: Yossi Kuperman <yossiku@mellanox.com>

commit 7c88e21aefcf86fb41b48b2e04528db5a30fbe18 upstream.

IPv6 payload length indicates the size of the payload, including any
extension headers.

In xfrm6_transport_finish, ipv6_hdr(skb)->payload_len is set to the
payload size only, regardless of the presence of any extension headers.
After ESP GRO transport mode decapsulation, ipv6_rcv trims the packet
according to the wrong payload_len, thus corrupting the packet.

Set payload_len to account for extension headers as well.

Fixes: 7785bba299a8 ("esp: Add a software GRO codepath")
Signed-off-by: Yossi Kuperman <yossiku@mellanox.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/ipv6/xfrm6_input.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/ipv6/xfrm6_input.c
+++ b/net/ipv6/xfrm6_input.c
@@ -43,8 +43,8 @@ int xfrm6_transport_finish(struct sk_buf
 		return 1;
 #endif
 
-	ipv6_hdr(skb)->payload_len = htons(skb->len);
 	__skb_push(skb, skb->data - skb_network_header(skb));
+	ipv6_hdr(skb)->payload_len = htons(skb->len - sizeof(struct ipv6hdr));
 
 	if (xo && (xo->flags & XFRM_GRO)) {
 		skb_mac_header_rebuild(skb);


Patches currently in stable-queue which might be from yossiku@mellanox.com are

queue-4.11/xfrm6-fix-ipv6-payload_len-in-xfrm6_transport_finish.patch

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2017-07-03 11:51 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-07-03 11:51 Patch "xfrm6: Fix IPv6 payload_len in xfrm6_transport_finish" has been added to the 4.11-stable tree gregkh

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox