git.kernel.dk Git - linux-2.6-block.git/commit

author	Willem de Bruijn <willemb@google.com>
	Sun, 30 Dec 2018 22:24:36 +0000 (17:24 -0500)
committer	David S. Miller <davem@davemloft.net>
	Tue, 1 Jan 2019 20:05:02 +0000 (12:05 -0800)
commit	cb9f1b783850b14cbd7f87d061d784a666dfba1f
tree	652c378230eed5add180c8fec9787db540b32e97	tree \| snapshot
parent	8c76e77f9069f10505c08e02646c3ee11ad79038	commit \| diff

ip: validate header length on virtual device xmit

KMSAN detected read beyond end of buffer in vti and sit devices when
passing truncated packets with PF_PACKET. The issue affects additional
ip tunnel devices.

Extend commit 76c0ddd8c3a6 ("ip6_tunnel: be careful when accessing the
inner header") and commit ccfec9e5cb2d ("ip_tunnel: be careful when
accessing the inner header").

Move the check to a separate helper and call at the start of each
ndo_start_xmit function in net/ipv4 and net/ipv6.

Minor changes:
- convert dev_kfree_skb to kfree_skb on error path,
  as dev_kfree_skb calls consume_skb which is not for error paths.
- use pskb_network_may_pull even though that is pedantic here,
  as the same as pskb_may_pull for devices without llheaders.
- do not cache ipv6 hdrs if used only once
  (unsafe across pskb_may_pull, was more relevant to earlier patch)

Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

include/net/ip_tunnels.h		diff \| blob \| blame \| history
net/ipv4/ip_gre.c		diff \| blob \| blame \| history
net/ipv4/ip_tunnel.c		diff \| blob \| blame \| history
net/ipv4/ip_vti.c		diff \| blob \| blame \| history
net/ipv6/ip6_gre.c		diff \| blob \| blame \| history
net/ipv6/ip6_tunnel.c		diff \| blob \| blame \| history
net/ipv6/ip6_vti.c		diff \| blob \| blame \| history
net/ipv6/ip6mr.c		diff \| blob \| blame \| history
net/ipv6/sit.c		diff \| blob \| blame \| history