From: Greg KH <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk,
"Niccol� Belli" <darkbasic@linuxsystems.it>,
"Eric Dumazet" <eric.dumazet@gmail.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [ 17/38] ipsec: be careful of non existing mac headers
Date: Fri, 16 Mar 2012 16:35:04 -0700 [thread overview]
Message-ID: <20120316233448.795009692@linuxfoundation.org> (raw)
In-Reply-To: <20120316233422.GA5461@kroah.com>
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 3923 bytes --]
3.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <eric.dumazet@gmail.com>
[ Upstream commit 03606895cd98c0a628b17324fd7b5ff15db7e3cd ]
Niccolo Belli reported ipsec crashes in case we handle a frame without
mac header (atm in his case)
Before copying mac header, better make sure it is present.
Bugzilla reference: https://bugzilla.kernel.org/show_bug.cgi?id=42809
Reported-by: Niccol� Belli <darkbasic@linuxsystems.it>
Tested-by: Niccol� Belli <darkbasic@linuxsystems.it>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/skbuff.h | 10 ++++++++++
net/ipv4/xfrm4_mode_beet.c | 5 +----
net/ipv4/xfrm4_mode_tunnel.c | 6 ++----
net/ipv6/xfrm6_mode_beet.c | 6 +-----
net/ipv6/xfrm6_mode_tunnel.c | 6 ++----
5 files changed, 16 insertions(+), 17 deletions(-)
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -1370,6 +1370,16 @@ static inline void skb_set_mac_header(st
}
#endif /* NET_SKBUFF_DATA_USES_OFFSET */
+static inline void skb_mac_header_rebuild(struct sk_buff *skb)
+{
+ if (skb_mac_header_was_set(skb)) {
+ const unsigned char *old_mac = skb_mac_header(skb);
+
+ skb_set_mac_header(skb, -skb->mac_len);
+ memmove(skb_mac_header(skb), old_mac, skb->mac_len);
+ }
+}
+
static inline int skb_checksum_start_offset(const struct sk_buff *skb)
{
return skb->csum_start - skb_headroom(skb);
--- a/net/ipv4/xfrm4_mode_beet.c
+++ b/net/ipv4/xfrm4_mode_beet.c
@@ -110,10 +110,7 @@ static int xfrm4_beet_input(struct xfrm_
skb_push(skb, sizeof(*iph));
skb_reset_network_header(skb);
-
- memmove(skb->data - skb->mac_len, skb_mac_header(skb),
- skb->mac_len);
- skb_set_mac_header(skb, -skb->mac_len);
+ skb_mac_header_rebuild(skb);
xfrm4_beet_make_header(skb);
--- a/net/ipv4/xfrm4_mode_tunnel.c
+++ b/net/ipv4/xfrm4_mode_tunnel.c
@@ -66,7 +66,6 @@ static int xfrm4_mode_tunnel_output(stru
static int xfrm4_mode_tunnel_input(struct xfrm_state *x, struct sk_buff *skb)
{
- const unsigned char *old_mac;
int err = -EINVAL;
if (XFRM_MODE_SKB_CB(skb)->protocol != IPPROTO_IPIP)
@@ -84,10 +83,9 @@ static int xfrm4_mode_tunnel_input(struc
if (!(x->props.flags & XFRM_STATE_NOECN))
ipip_ecn_decapsulate(skb);
- old_mac = skb_mac_header(skb);
- skb_set_mac_header(skb, -skb->mac_len);
- memmove(skb_mac_header(skb), old_mac, skb->mac_len);
skb_reset_network_header(skb);
+ skb_mac_header_rebuild(skb);
+
err = 0;
out:
--- a/net/ipv6/xfrm6_mode_beet.c
+++ b/net/ipv6/xfrm6_mode_beet.c
@@ -80,7 +80,6 @@ static int xfrm6_beet_output(struct xfrm
static int xfrm6_beet_input(struct xfrm_state *x, struct sk_buff *skb)
{
struct ipv6hdr *ip6h;
- const unsigned char *old_mac;
int size = sizeof(struct ipv6hdr);
int err;
@@ -90,10 +89,7 @@ static int xfrm6_beet_input(struct xfrm_
__skb_push(skb, size);
skb_reset_network_header(skb);
-
- old_mac = skb_mac_header(skb);
- skb_set_mac_header(skb, -skb->mac_len);
- memmove(skb_mac_header(skb), old_mac, skb->mac_len);
+ skb_mac_header_rebuild(skb);
xfrm6_beet_make_header(skb);
--- a/net/ipv6/xfrm6_mode_tunnel.c
+++ b/net/ipv6/xfrm6_mode_tunnel.c
@@ -63,7 +63,6 @@ static int xfrm6_mode_tunnel_output(stru
static int xfrm6_mode_tunnel_input(struct xfrm_state *x, struct sk_buff *skb)
{
int err = -EINVAL;
- const unsigned char *old_mac;
if (XFRM_MODE_SKB_CB(skb)->protocol != IPPROTO_IPV6)
goto out;
@@ -80,10 +79,9 @@ static int xfrm6_mode_tunnel_input(struc
if (!(x->props.flags & XFRM_STATE_NOECN))
ipip6_ecn_decapsulate(skb);
- old_mac = skb_mac_header(skb);
- skb_set_mac_header(skb, -skb->mac_len);
- memmove(skb_mac_header(skb), old_mac, skb->mac_len);
skb_reset_network_header(skb);
+ skb_mac_header_rebuild(skb);
+
err = 0;
out:
next prev parent reply other threads:[~2012-03-16 23:35 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-03-16 23:34 [ 00/38] 3.0.25-stable review Greg KH
2012-03-16 23:34 ` [ 01/38] ASoC: neo1973: fix neo1973 wm8753 initialization Greg KH
2012-03-16 23:34 ` [ 02/38] aio: fix io_setup/io_destroy race Greg KH
2012-03-16 23:34 ` [ 03/38] aio: fix the "too late munmap()" race Greg KH
2012-03-16 23:34 ` [ 04/38] x86: Derandom delay_tsc for 64 bit Greg KH
2012-03-16 23:34 ` [ 05/38] PCI: ignore pre-1.1 ASPM quirking when ASPM is disabled Greg KH
2012-03-19 10:20 ` Jiri Slaby
2012-03-19 15:46 ` Greg KH
2012-03-19 15:53 ` Matthew Garrett
2012-03-19 16:04 ` Jonathan Nieder
2012-03-19 16:25 ` Greg KH
2012-03-19 16:33 ` Jonathan Nieder
2012-03-16 23:34 ` [ 06/38] firewire: cdev: fix 32 bit userland on 64 bit kernel compat corner cases Greg KH
2012-03-16 23:34 ` [ 07/38] firewire: core: handle ack_busy when fetching the Config ROM Greg KH
2012-03-16 23:34 ` [ 08/38] PM / Driver core: leave runtime PM enabled during system shutdown Greg KH
2012-03-16 23:34 ` [ 09/38] rt2x00: fix random stalls Greg KH
2012-03-16 23:34 ` [ 10/38] vfs: fix return value from do_last() Greg KH
2012-03-16 23:34 ` [ 11/38] vfs: fix double put after complete_walk() Greg KH
2012-03-16 23:34 ` [ 12/38] acer-wmi: support Lenovo ideapad S205 wifi switch Greg KH
2012-03-16 23:35 ` [ 13/38] acer-wmi: Add wireless quirk for Lenovo 3000 N200 Greg KH
2012-03-16 23:35 ` [ 14/38] acer-wmi: check wireless capability flag before register rfkill Greg KH
2012-03-16 23:35 ` [ 15/38] acer-wmi: No wifi rfkill on Lenovo machines Greg KH
2012-03-16 23:35 ` [ 16/38] neighbour: Fixed race condition at tbl->nht Greg KH
2012-03-16 23:35 ` Greg KH [this message]
2012-03-16 23:35 ` [ 18/38] ppp: fix ppp_mp_reconstruct bad seq errors Greg KH
2012-03-16 23:35 ` [ 19/38] tcp: fix false reordering signal in tcp_shifted_skb Greg KH
2012-03-16 23:35 ` [ 20/38] vmxnet3: Fix transport header size Greg KH
2012-03-16 23:35 ` [ 21/38] tcp: dont fragment SACKed skbs in tcp_mark_head_lost() Greg KH
2012-03-16 23:35 ` [ 22/38] bridge: check return value of ipv6_dev_get_saddr() Greg KH
2012-03-16 23:35 ` [ 23/38] tcp: fix tcp_shift_skb_data() to not shift SACKed data below snd_una Greg KH
2012-03-16 23:35 ` [ 24/38] IPv6: Fix not join all-router mcast group when forwarding set Greg KH
2012-03-16 23:35 ` [ 25/38] atl1c: dont use highprio tx queue Greg KH
2012-03-16 23:35 ` [ 26/38] usb: asix: Patch for Sitecom LN-031 Greg KH
2012-03-16 23:35 ` [ 28/38] regulator: Fix setting selector in tps6524x set_voltage function Greg KH
2012-03-16 23:35 ` [ 29/38] block: Fix NULL pointer dereference in sd_revalidate_disk Greg KH
2012-03-16 23:35 ` [ 30/38] block, sx8: fix pointer math issue getting fw version Greg KH
2012-03-16 23:35 ` [ 31/38] block: fix __blkdev_get and add_disk race condition Greg KH
2012-03-16 23:35 ` [ 32/38] Block: use a freezable workqueue for disk-event polling Greg KH
2012-03-16 23:35 ` [ 33/38] sfc: Fix assignment of ip_summed for pre-allocated skbs Greg KH
2012-03-16 23:35 ` [ 34/38] sparc32: Add -Av8 to assembler command line Greg KH
2012-03-16 23:35 ` [ 35/38] compat: Re-add missing asm/compat.h include to fix compile breakage on s390 Greg KH
2012-03-16 23:35 ` [ 36/38] hwmon: (w83627ehf) Fix writing into fan_stop_time for NCT6775F/NCT6776F Greg KH
2012-03-16 23:35 ` [ 37/38] hwmon: (w83627ehf) Fix memory leak in probe function Greg KH
2012-03-16 23:35 ` [ 38/38] i2c-algo-bit: Fix spurious SCL timeouts under heavy load Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120316233448.795009692@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=darkbasic@linuxsystems.it \
--cc=davem@davemloft.net \
--cc=eric.dumazet@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).