diff options
| author | David S. Miller | 2018-12-08 01:24:40 +0100 |
|---|---|---|
| committer | David S. Miller | 2018-12-08 01:24:40 +0100 |
| commit | 8b78903bc5f1786f7f988d26de48819144a13d6c (patch) | |
| tree | 9b93e099315cb036f69df1d45cac0e98de166976 /include/net/neighbour.h | |
| parent | tcp: lack of available data can also cause TSO defer (diff) | |
| parent | neighbour: Avoid writing before skb->head in neigh_hh_output() (diff) | |
| download | kernel-qcow2-linux-8b78903bc5f1786f7f988d26de48819144a13d6c.tar.gz kernel-qcow2-linux-8b78903bc5f1786f7f988d26de48819144a13d6c.tar.xz kernel-qcow2-linux-8b78903bc5f1786f7f988d26de48819144a13d6c.zip | |
Merge branch 'skb-headroom-slab-out-of-bounds'
Stefano Brivio says:
====================
Fix slab out-of-bounds on insufficient headroom for IPv6 packets
Patch 1/2 fixes a slab out-of-bounds occurring with short SCTP packets over
IPv4 over L2TP over IPv6 on a configuration with relatively low HEADER_MAX.
Patch 2/2 makes sure we avoid writing before the allocated buffer in
neigh_hh_output() in case the headroom is enough for the unaligned hardware
header size, but not enough for the aligned one, and that we warn if we hit
this condition.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include/net/neighbour.h')
| -rw-r--r-- | include/net/neighbour.h | 28 |
1 files changed, 23 insertions, 5 deletions
diff --git a/include/net/neighbour.h b/include/net/neighbour.h index f58b384aa6c9..665990c7dec8 100644 --- a/include/net/neighbour.h +++ b/include/net/neighbour.h @@ -454,6 +454,7 @@ static inline int neigh_hh_bridge(struct hh_cache *hh, struct sk_buff *skb) static inline int neigh_hh_output(const struct hh_cache *hh, struct sk_buff *skb) { + unsigned int hh_alen = 0; unsigned int seq; unsigned int hh_len; @@ -461,16 +462,33 @@ static inline int neigh_hh_output(const struct hh_cache *hh, struct sk_buff *skb seq = read_seqbegin(&hh->hh_lock); hh_len = hh->hh_len; if (likely(hh_len <= HH_DATA_MOD)) { - /* this is inlined by gcc */ - memcpy(skb->data - HH_DATA_MOD, hh->hh_data, HH_DATA_MOD); + hh_alen = HH_DATA_MOD; + + /* skb_push() would proceed silently if we have room for + * the unaligned size but not for the aligned size: + * check headroom explicitly. + */ + if (likely(skb_headroom(skb) >= HH_DATA_MOD)) { + /* this is inlined by gcc */ + memcpy(skb->data - HH_DATA_MOD, hh->hh_data, + HH_DATA_MOD); + } } else { - unsigned int hh_alen = HH_DATA_ALIGN(hh_len); + hh_alen = HH_DATA_ALIGN(hh_len); - memcpy(skb->data - hh_alen, hh->hh_data, hh_alen); + if (likely(skb_headroom(skb) >= hh_alen)) { + memcpy(skb->data - hh_alen, hh->hh_data, + hh_alen); + } } } while (read_seqretry(&hh->hh_lock, seq)); - skb_push(skb, hh_len); + if (WARN_ON_ONCE(skb_headroom(skb) < hh_alen)) { + kfree_skb(skb); + return NET_XMIT_DROP; + } + + __skb_push(skb, hh_len); return dev_queue_xmit(skb); } |