From patchwork Mon Sep 17 17:46:53 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Nuernberger X-Patchwork-Id: 970758 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=quarantine dis=none) header.from=amazon.com Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=amazon.com header.i=@amazon.com header.b="eLHxeh0W"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 42DYXd2qd0z9sj1 for ; Tue, 18 Sep 2018 03:49:21 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727946AbeIQXRn (ORCPT ); Mon, 17 Sep 2018 19:17:43 -0400 Received: from smtp-fw-2101.amazon.com ([72.21.196.25]:60552 "EHLO smtp-fw-2101.amazon.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727089AbeIQXRm (ORCPT ); Mon, 17 Sep 2018 19:17:42 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1537206558; x=1568742558; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=6XVOIJf6gGjZdX9FTSTN/1KUQk/kNYQh3kZo6VWv96k=; b=eLHxeh0WeSPiwC8i6RJZ/g+wjrMJ0wbKV/M1OZYSvt9DNtHgmWHlyhvk YLUc/dTyk/+LSU/zG90XHx07LJXIEIQ+29jBJTfhH0PkIYRmQ2KrgIh4q SQMzbmftb+zhvgQC4DuXcLRCTC5vqgaZu+skQHBDPrxk2HlAZti4GnyQg I=; X-IronPort-AV: E=Sophos;i="5.53,386,1531785600"; d="scan'208";a="697889665" Received: from iad6-co-svc-p1-lb1-vlan2.amazon.com (HELO email-inbound-relay-1a-16acd5e0.us-east-1.amazon.com) ([10.124.125.2]) by smtp-border-fw-out-2101.iad2.amazon.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 17 Sep 2018 17:49:17 +0000 Received: from uc85b765eaffb582d9166.ant.amazon.com (iad7-ws-svc-lb50-vlan2.amazon.com [10.0.93.210]) by email-inbound-relay-1a-16acd5e0.us-east-1.amazon.com (8.14.7/8.14.7) with ESMTP id w8HHnDDc123986 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 17 Sep 2018 17:49:15 GMT Received: from uc85b765eaffb582d9166.ant.amazon.com (localhost [127.0.0.1]) by uc85b765eaffb582d9166.ant.amazon.com (8.15.2/8.15.2/Debian-3) with ESMTP id w8HHnANX017289; Mon, 17 Sep 2018 19:49:10 +0200 Received: (from snu@localhost) by uc85b765eaffb582d9166.ant.amazon.com (8.15.2/8.15.2/Submit) id w8HHn7N5017284; Mon, 17 Sep 2018 19:49:07 +0200 From: Stefan Nuernberger To: netdev@vger.kernel.org Cc: aams@amazon.de, dwmw@amazon.co.uk, yujuan.qi@mediatek.com, paul@paul-moore.com, snu@amazon.com, sveith@amazon.de, stable@vger.kernel.org Subject: [PATCH v2 net] net/ipv4: defensive cipso option parsing Date: Mon, 17 Sep 2018 19:46:53 +0200 Message-Id: <20180917174653.17046-1-snu@amazon.com> X-Mailer: git-send-email 2.19.0 In-Reply-To: References: MIME-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org commit 40413955ee26 ("Cipso: cipso_v4_optptr enter infinite loop") fixed a possible infinite loop in the IP option parsing of CIPSO. The fix assumes that ip_options_compile filtered out all zero length options and that no other one-byte options beside IPOPT_END and IPOPT_NOOP exist. While this assumption currently holds true, add explicit checks for zero length and invalid length options to be safe for the future. Even though ip_options_compile should have validated the options, the introduction of new one-byte options can still confuse this code without the additional checks. Signed-off-by: Stefan Nuernberger Cc: David Woodhouse Cc: Simon Veith Cc: stable@vger.kernel.org Acked-by: Paul Moore --- net/ipv4/cipso_ipv4.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c index 82178cc69c96..777fa3b7fb13 100644 --- a/net/ipv4/cipso_ipv4.c +++ b/net/ipv4/cipso_ipv4.c @@ -1512,7 +1512,7 @@ static int cipso_v4_parsetag_loc(const struct cipso_v4_doi *doi_def, * * Description: * Parse the packet's IP header looking for a CIPSO option. Returns a pointer - * to the start of the CIPSO option on success, NULL if one if not found. + * to the start of the CIPSO option on success, NULL if one is not found. * */ unsigned char *cipso_v4_optptr(const struct sk_buff *skb) @@ -1522,10 +1522,8 @@ unsigned char *cipso_v4_optptr(const struct sk_buff *skb) int optlen; int taglen; - for (optlen = iph->ihl*4 - sizeof(struct iphdr); optlen > 0; ) { + for (optlen = iph->ihl*4 - sizeof(struct iphdr); optlen > 1; ) { switch (optptr[0]) { - case IPOPT_CIPSO: - return optptr; case IPOPT_END: return NULL; case IPOPT_NOOP: @@ -1534,6 +1532,11 @@ unsigned char *cipso_v4_optptr(const struct sk_buff *skb) default: taglen = optptr[1]; } + if (!taglen || taglen > optlen) + return NULL; + if (optptr[0] == IPOPT_CIPSO) + return optptr; + optlen -= taglen; optptr += taglen; }