Skip to main content

Browse the archive

https://github.com/torvalds/linux
05 April 2024, 19:05:47 UTC
Revision cb9f1b783850b14cbd7f87d061d784a666dfba1f authored by Willem de Bruijn on 30 December 2018, 22:24:36 UTC, committed by David S. Miller on 01 January 2019, 20:05:02 UTC 
ip: validate header length on virtual device xmit
 
KMSAN detected read beyond end of buffer in vti and sit devices when
passing truncated packets with PF_PACKET. The issue affects additional
ip tunnel devices.

Extend commit 76c0ddd8c3a6 ("ip6_tunnel: be careful when accessing the
inner header") and commit ccfec9e5cb2d ("ip_tunnel: be careful when
accessing the inner header").

Move the check to a separate helper and call at the start of each
ndo_start_xmit function in net/ipv4 and net/ipv6.

Minor changes:
- convert dev_kfree_skb to kfree_skb on error path,
  as dev_kfree_skb calls consume_skb which is not for error paths.
- use pskb_network_may_pull even though that is pedantic here,
  as the same as pskb_may_pull for devices without llheaders.
- do not cache ipv6 hdrs if used only once
  (unsafe across pskb_may_pull, was more relevant to earlier patch)

Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
1 parent 8c76e77
History
Tip revision: cb9f1b783850b14cbd7f87d061d784a666dfba1f authored by Willem de Bruijn on 30 December 2018, 22:24:36 UTC
ip: validate header length on virtual device xmit
Tip revision: cb9f1b7
File Mode Size
Documentation
LICENSES
arch
block
certs
crypto
drivers
firmware
fs
include
init
ipc
kernel
lib
mm
net
samples
scripts
security
sound
tools
usr
virt
.clang-format -rw-r--r-- 12.7 KB
.cocciconfig -rw-r--r-- 59 bytes
.get_maintainer.ignore -rw-r--r-- 31 bytes
.gitattributes -rw-r--r-- 30 bytes
.gitignore -rw-r--r-- 1.5 KB
.mailmap -rw-r--r-- 10.6 KB
COPYING -rw-r--r-- 423 bytes
CREDITS -rw-r--r-- 96.7 KB
Kbuild -rw-r--r-- 2.2 KB
Kconfig -rw-r--r-- 563 bytes
MAINTAINERS -rw-r--r-- 477.2 KB
Makefile -rw-r--r-- 59.6 KB
README -rw-r--r-- 727 bytes

README

back to top