From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Michael S. Tsirkin" , "Daniel Borkmann" , "David S. Miller" , "Eric Dumazet" , "Jason Wang" , "Petr Matousek" Date: Sun, 29 Dec 2013 03:08:44 +0100 Message-ID: Subject: [PATCH 3.2 180/185] net: flow_dissector: fail on evil iph->ihl In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org List-ID: 3.2.54-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Jason Wang commit 6f092343855a71e03b8d209815d8c45bf3a27fcd upstream. We don't validate iph->ihl which may lead a dead loop if we meet a IPIP skb whose iph->ihl is zero. Fix this by failing immediately when iph->ihl is evil (less than 5). This issue were introduced by commit ec5efe7946280d1e84603389a1030ccec0a767ae (rps: support IPIP encapsulation). Cc: Eric Dumazet Cc: Petr Matousek Cc: Michael S. Tsirkin Cc: Daniel Borkmann Signed-off-by: Jason Wang Acked-by: Eric Dumazet Signed-off-by: David S. Miller [bwh: Backported to 3.2: the affected code is in __skb_get_rxhash()] Signed-off-by: Ben Hutchings --- net/core/flow_dissector.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/net/core/dev.c +++ b/net/core/dev.c @@ -2609,6 +2609,8 @@ ip: goto done; ip = (const struct iphdr *) (skb->data + nhoff); + if (ip->ihl < 5) + goto done; if (ip_is_fragment(ip)) ip_proto = 0; else