From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
Dmitry Vyukov <dvyukov@google.com>,
Willem de Bruijn <willemb@google.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.4 02/20] ipv6: fix ip6_tnl_parse_tlv_enc_lim()
Date: Thu, 16 Feb 2017 09:53:32 -0800 [thread overview]
Message-ID: <20170216175259.619574493@linuxfoundation.org> (raw)
In-Reply-To: <20170216175259.514980415@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit fbfa743a9d2a0ffa24251764f10afc13eb21e739 ]
This function suffers from multiple issues.
First one is that pskb_may_pull() may reallocate skb->head,
so the 'raw' pointer needs either to be reloaded or not used at all.
Second issue is that NEXTHDR_DEST handling does not validate
that the options are present in skb->data, so we might read
garbage or access non existent memory.
With help from Willem de Bruijn.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/ip6_tunnel.c | 34 ++++++++++++++++++++++------------
1 file changed, 22 insertions(+), 12 deletions(-)
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -479,18 +479,19 @@ ip6_tnl_dev_uninit(struct net_device *de
__u16 ip6_tnl_parse_tlv_enc_lim(struct sk_buff *skb, __u8 *raw)
{
- const struct ipv6hdr *ipv6h = (const struct ipv6hdr *) raw;
- __u8 nexthdr = ipv6h->nexthdr;
- __u16 off = sizeof(*ipv6h);
+ const struct ipv6hdr *ipv6h = (const struct ipv6hdr *)raw;
+ unsigned int nhoff = raw - skb->data;
+ unsigned int off = nhoff + sizeof(*ipv6h);
+ u8 next, nexthdr = ipv6h->nexthdr;
while (ipv6_ext_hdr(nexthdr) && nexthdr != NEXTHDR_NONE) {
- __u16 optlen = 0;
struct ipv6_opt_hdr *hdr;
- if (raw + off + sizeof(*hdr) > skb->data &&
- !pskb_may_pull(skb, raw - skb->data + off + sizeof (*hdr)))
+ u16 optlen;
+
+ if (!pskb_may_pull(skb, off + sizeof(*hdr)))
break;
- hdr = (struct ipv6_opt_hdr *) (raw + off);
+ hdr = (struct ipv6_opt_hdr *)(skb->data + off);
if (nexthdr == NEXTHDR_FRAGMENT) {
struct frag_hdr *frag_hdr = (struct frag_hdr *) hdr;
if (frag_hdr->frag_off)
@@ -501,20 +502,29 @@ __u16 ip6_tnl_parse_tlv_enc_lim(struct s
} else {
optlen = ipv6_optlen(hdr);
}
+ /* cache hdr->nexthdr, since pskb_may_pull() might
+ * invalidate hdr
+ */
+ next = hdr->nexthdr;
if (nexthdr == NEXTHDR_DEST) {
- __u16 i = off + 2;
+ u16 i = 2;
+
+ /* Remember : hdr is no longer valid at this point. */
+ if (!pskb_may_pull(skb, off + optlen))
+ break;
+
while (1) {
struct ipv6_tlv_tnl_enc_lim *tel;
/* No more room for encapsulation limit */
- if (i + sizeof (*tel) > off + optlen)
+ if (i + sizeof(*tel) > optlen)
break;
- tel = (struct ipv6_tlv_tnl_enc_lim *) &raw[i];
+ tel = (struct ipv6_tlv_tnl_enc_lim *) skb->data + off + i;
/* return index of option if found and valid */
if (tel->type == IPV6_TLV_TNL_ENCAP_LIMIT &&
tel->length == 1)
- return i;
+ return i + off - nhoff;
/* else jump to next option */
if (tel->type)
i += tel->length + 2;
@@ -522,7 +532,7 @@ __u16 ip6_tnl_parse_tlv_enc_lim(struct s
i++;
}
}
- nexthdr = hdr->nexthdr;
+ nexthdr = next;
off += optlen;
}
return 0;
next prev parent reply other threads:[~2017-02-16 17:54 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-16 17:53 [PATCH 4.4 00/20] 4.4.50-stable review Greg Kroah-Hartman
2017-02-16 17:53 ` [PATCH 4.4 01/20] can: Fix kernel panic at security_sock_rcv_skb Greg Kroah-Hartman
2017-02-16 17:53 ` Greg Kroah-Hartman [this message]
2017-02-16 17:53 ` [PATCH 4.4 03/20] ipv6: pointer math error in ip6_tnl_parse_tlv_enc_lim() Greg Kroah-Hartman
2017-02-16 17:53 ` [PATCH 4.4 04/20] tcp: fix 0 divide in __tcp_select_window() Greg Kroah-Hartman
2017-02-16 17:53 ` [PATCH 4.4 05/20] net: use a work queue to defer net_disable_timestamp() work Greg Kroah-Hartman
2017-02-16 17:53 ` [PATCH 4.4 06/20] ipv4: keep skb->dst around in presence of IP options Greg Kroah-Hartman
2017-02-16 17:53 ` [PATCH 4.4 07/20] netlabel: out of bound access in cipso_v4_validate() Greg Kroah-Hartman
2017-02-16 17:53 ` [PATCH 4.4 08/20] ip6_gre: fix ip6gre_err() invalid reads Greg Kroah-Hartman
2017-02-16 17:53 ` [PATCH 4.4 09/20] ipv6: tcp: add a missing tcp_v6_restore_cb() Greg Kroah-Hartman
2017-02-16 17:53 ` [PATCH 4.4 10/20] tcp: avoid infinite loop in tcp_splice_read() Greg Kroah-Hartman
2017-02-16 17:53 ` [PATCH 4.4 11/20] tun: read vnet_hdr_sz once Greg Kroah-Hartman
2017-02-16 17:53 ` [PATCH 4.4 12/20] macvtap: read vnet_hdr_size once Greg Kroah-Hartman
2017-02-16 17:53 ` [PATCH 4.4 13/20] mlx4: Invoke softirqs after napi_reschedule Greg Kroah-Hartman
2017-02-16 17:53 ` [PATCH 4.4 14/20] sctp: avoid BUG_ON on sctp_wait_for_sndbuf Greg Kroah-Hartman
2017-02-21 16:08 ` Ben Hutchings
2017-02-21 16:56 ` Marcelo
2017-02-21 19:54 ` Marcelo Ricardo Leitner
2017-02-16 17:53 ` [PATCH 4.4 15/20] sit: fix a double free on error path Greg Kroah-Hartman
2017-02-16 17:53 ` [PATCH 4.4 16/20] net: introduce device min_header_len Greg Kroah-Hartman
2017-02-16 17:53 ` [PATCH 4.4 17/20] packet: round up linear to header len Greg Kroah-Hartman
2017-02-16 17:53 ` [PATCH 4.4 18/20] ping: fix a null pointer dereference Greg Kroah-Hartman
2017-02-16 17:53 ` [PATCH 4.4 19/20] l2tp: do not use udp_ioctl() Greg Kroah-Hartman
2017-02-16 17:53 ` [PATCH 4.4 20/20] tcp: fix mark propagation with fwmark_reflect enabled Greg Kroah-Hartman
2017-02-17 10:37 ` [PATCH 4.4 00/20] 4.4.50-stable review Guenter Roeck
[not found] ` <58a74eeb.c910190a.1e315.c4dd@mx.google.com>
2017-02-17 23:43 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170216175259.619574493@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=dvyukov@google.com \
--cc=edumazet@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=willemb@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).