Message ID | 20180419221445.26205-4-aring@mojatatu.com |
---|---|
State | Changes Requested, archived |
Delegated to: | David Miller |
Headers | show |
Series | net: sched: ife: malformed ife packet fixes | expand |
On 04/19/2018 03:14 PM, Alexander Aring wrote: > This patch checks if sk buffer is available to dererence ife header. If > not then NULL will returned to signal an malformed ife packet. This > avoids to crashing the kernel from outside. > > Signed-off-by: Alexander Aring <aring@mojatatu.com> > Reviewed-by: Yotam Gigi <yotam.gi@gmail.com> > Acked-by: Jamal Hadi Salim <jhs@mojatatu.com> > --- > net/ife/ife.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/net/ife/ife.c b/net/ife/ife.c > index 7fbe70a0af4b..570a18d4ca32 100644 > --- a/net/ife/ife.c > +++ b/net/ife/ife.c > @@ -70,6 +70,9 @@ void *ife_decode(struct sk_buff *skb, u16 *metalen) > u16 ifehdrln; > > ifehdr = (struct ifeheadr *) (skb->data + skb->dev->hard_header_len); > + if (!pskb_may_pull(skb, skb->dev->hard_header_len + IFE_METAHDRLEN)) > + return NULL; > + No, you need to move here : ifehdr = (struct ifeheadr *) (skb->data + skb->dev->hard_header_len); > ifehdrln = ntohs(ifehdr->metalen); > total_pull = skb->dev->hard_header_len + ifehdrln; > > Please do not rush, wait one day before sending V4, no need to flood netdev@
diff --git a/net/ife/ife.c b/net/ife/ife.c index 7fbe70a0af4b..570a18d4ca32 100644 --- a/net/ife/ife.c +++ b/net/ife/ife.c @@ -70,6 +70,9 @@ void *ife_decode(struct sk_buff *skb, u16 *metalen) u16 ifehdrln; ifehdr = (struct ifeheadr *) (skb->data + skb->dev->hard_header_len); + if (!pskb_may_pull(skb, skb->dev->hard_header_len + IFE_METAHDRLEN)) + return NULL; + ifehdrln = ntohs(ifehdr->metalen); total_pull = skb->dev->hard_header_len + ifehdrln;