From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Julia Lawall <julia.lawall@lip6.fr>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.4 14/53] ipv6: Check ip6_find_1stfragopt() return value properly.
Date: Mon, 5 Jun 2017 18:17:12 +0200 [thread overview]
Message-ID: <20170605153037.987450139@linuxfoundation.org> (raw)
In-Reply-To: <20170605153037.105331684@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: "David S. Miller" <davem@davemloft.net>
[ Upstream commit 7dd7eb9513bd02184d45f000ab69d78cb1fa1531 ]
Do not use unsigned variables to see if it returns a negative
error or not.
Fixes: 2423496af35d ("ipv6: Prevent overrun when parsing v6 header options")
Reported-by: Julia Lawall <julia.lawall@lip6.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/ip6_offload.c | 9 ++++-----
net/ipv6/ip6_output.c | 7 +++----
net/ipv6/udp_offload.c | 8 +++++---
3 files changed, 12 insertions(+), 12 deletions(-)
--- a/net/ipv6/ip6_offload.c
+++ b/net/ipv6/ip6_offload.c
@@ -62,7 +62,6 @@ static struct sk_buff *ipv6_gso_segment(
const struct net_offload *ops;
int proto;
struct frag_hdr *fptr;
- unsigned int unfrag_ip6hlen;
u8 *prevhdr;
int offset = 0;
bool encap, udpfrag;
@@ -121,10 +120,10 @@ static struct sk_buff *ipv6_gso_segment(
skb->network_header = (u8 *)ipv6h - skb->head;
if (udpfrag) {
- unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr);
- if (unfrag_ip6hlen < 0)
- return ERR_PTR(unfrag_ip6hlen);
- fptr = (struct frag_hdr *)((u8 *)ipv6h + unfrag_ip6hlen);
+ int err = ip6_find_1stfragopt(skb, &prevhdr);
+ if (err < 0)
+ return ERR_PTR(err);
+ fptr = (struct frag_hdr *)((u8 *)ipv6h + err);
fptr->frag_off = htons(offset);
if (skb->next)
fptr->frag_off |= htons(IP6_MF);
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -571,11 +571,10 @@ int ip6_fragment(struct net *net, struct
int ptr, offset = 0, err = 0;
u8 *prevhdr, nexthdr = 0;
- hlen = ip6_find_1stfragopt(skb, &prevhdr);
- if (hlen < 0) {
- err = hlen;
+ err = ip6_find_1stfragopt(skb, &prevhdr);
+ if (err < 0)
goto fail;
- }
+ hlen = err;
nexthdr = *prevhdr;
mtu = ip6_skb_dst_mtu(skb);
--- a/net/ipv6/udp_offload.c
+++ b/net/ipv6/udp_offload.c
@@ -29,6 +29,7 @@ static struct sk_buff *udp6_ufo_fragment
u8 frag_hdr_sz = sizeof(struct frag_hdr);
__wsum csum;
int tnl_hlen;
+ int err;
mss = skb_shinfo(skb)->gso_size;
if (unlikely(skb->len <= mss))
@@ -97,9 +98,10 @@ static struct sk_buff *udp6_ufo_fragment
/* Find the unfragmentable header and shift it left by frag_hdr_sz
* bytes to insert fragment header.
*/
- unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr);
- if (unfrag_ip6hlen < 0)
- return ERR_PTR(unfrag_ip6hlen);
+ err = ip6_find_1stfragopt(skb, &prevhdr);
+ if (err < 0)
+ return ERR_PTR(err);
+ unfrag_ip6hlen = err;
nexthdr = *prevhdr;
*prevhdr = NEXTHDR_FRAGMENT;
unfrag_len = (skb_network_header(skb) - skb_mac_header(skb)) +
next prev parent reply other threads:[~2017-06-05 16:17 UTC|newest]
Thread overview: 59+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-05 16:16 [PATCH 4.4 00/53] 4.4.71-stable review Greg Kroah-Hartman
2017-06-05 16:16 ` [PATCH 4.4 01/53] sparc: Fix -Wstringop-overflow warning Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.4 02/53] dccp/tcp: do not inherit mc_list from parent Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.4 03/53] ipv6/dccp: do not inherit ipv6_mc_list " Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.4 04/53] s390/qeth: handle sysfs error during initialization Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.4 05/53] s390/qeth: unbreak OSM and OSN support Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.4 06/53] s390/qeth: avoid null pointer dereference on OSN Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.4 07/53] s390/qeth: add missing hash table initializations Greg Kroah-Hartman
2017-06-06 8:11 ` Julian Wiedmann
2017-06-06 8:52 ` Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.4 08/53] tcp: avoid fragmenting peculiar skbs in SACK Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.4 09/53] sctp: fix src address selection if using secondary addresses for ipv6 Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.4 10/53] sctp: do not inherit ipv6_{mc|ac|fl}_list from parent Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.4 11/53] tcp: eliminate negative reordering in tcp_clean_rtx_queue Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.4 12/53] net: Improve handling of failures on link and route dumps Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.4 13/53] ipv6: Prevent overrun when parsing v6 header options Greg Kroah-Hartman
2017-06-05 16:17 ` Greg Kroah-Hartman [this message]
2017-06-05 16:17 ` [PATCH 4.4 15/53] bridge: netlink: check vlan_default_pvid range Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.4 17/53] bridge: start hello_timer when enabling KERNEL_STP in br_stp_start Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.4 18/53] ipv6: fix out of bound writes in __ip6_append_data() Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.4 19/53] be2net: Fix offload features for Q-in-Q packets Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.4 20/53] virtio-net: enable TSO/checksum offloads for Q-in-Q vlans Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.4 21/53] tcp: avoid fastopen API to be used on AF_UNSPEC Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.4 22/53] sctp: fix ICMP processing if skb is non-linear Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.4 23/53] ipv4: add reference counting to metrics Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.4 24/53] netem: fix skb_orphan_partial() Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.4 25/53] net: phy: marvell: Limit errata to 88m1101 Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.4 26/53] vlan: Fix tcp checksum offloads in Q-in-Q vlans Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.4 27/53] i2c: i2c-tiny-usb: fix buffer not being DMA capable Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.4 28/53] mmc: sdhci-iproc: suppress spurious interrupt with Multiblock read Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.4 29/53] HID: wacom: Have wacom_tpc_irq guard against possible NULL dereference Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.4 30/53] scsi: mpt3sas: Force request partial completion alignment Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.4 33/53] pcmcia: remove left-over %Z format Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.4 34/53] ALSA: hda - apply STAC_9200_DELL_M22 quirk for Dell Latitude D430 Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.4 35/53] slub/memcg: cure the brainless abuse of sysfs attributes Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.4 36/53] drm/gma500/psb: Actually use VBT mode when it is found Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.4 37/53] mm/migrate: fix refcount handling when !hugepage_migration_supported() Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.4 38/53] mlock: fix mlock count can not decrease in race condition Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.4 39/53] PCI/PM: Add needs_resume flag to avoid suspend complete optimization Greg Kroah-Hartman
2017-06-06 16:19 ` Ben Hutchings
2017-06-07 9:49 ` Greg Kroah-Hartman
2017-06-08 9:58 ` Imre Deak
2017-06-05 16:17 ` [PATCH 4.4 40/53] xfs: Fix missed holes in SEEK_HOLE implementation Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.4 41/53] xfs: fix off-by-one on max nr_pages in xfs_find_get_desired_pgoff() Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.4 42/53] xfs: fix over-copying of getbmap parameters from userspace Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.4 43/53] xfs: handle array index overrun in xfs_dir2_leaf_readbuf() Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.4 44/53] xfs: prevent multi-fsb dir readahead from reading random blocks Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.4 45/53] xfs: fix up quotacheck buffer list error handling Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.4 46/53] xfs: support ability to wait on new inodes Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.4 47/53] xfs: update ag iterator to support " Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.4 48/53] xfs: wait on new inodes during quotaoff dquot release Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.4 49/53] xfs: fix indlen accounting error on partial delalloc conversion Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.4 50/53] xfs: bad assertion for delalloc an extent that start at i_size Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.4 51/53] xfs: fix unaligned access in xfs_btree_visit_blocks Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.4 52/53] xfs: in _attrlist_by_handle, copy the cursor back to userspace Greg Kroah-Hartman
2017-06-05 16:17 ` [PATCH 4.4 53/53] xfs: only return -errno or success from attr ->put_listent Greg Kroah-Hartman
2017-06-05 20:35 ` [PATCH 4.4 00/53] 4.4.71-stable review Shuah Khan
2017-06-05 22:07 ` Guenter Roeck
2017-06-06 7:19 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170605153037.987450139@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=julia.lawall@lip6.fr \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).