From patchwork Mon Sep 17 15:11:49 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Nuernberger X-Patchwork-Id: 970640 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=quarantine dis=none) header.from=amazon.com Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=amazon.com header.i=@amazon.com header.b="Iy+3Ci3C"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 42DV434Hzyz9shy for ; Tue, 18 Sep 2018 01:12:51 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729059AbeIQUke (ORCPT ); Mon, 17 Sep 2018 16:40:34 -0400 Received: from smtp-fw-2101.amazon.com ([72.21.196.25]:44913 "EHLO smtp-fw-2101.amazon.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728679AbeIQUke (ORCPT ); Mon, 17 Sep 2018 16:40:34 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1537197168; x=1568733168; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=50fHihMVVq63qcmTxOqSnDKHgMvbU0IZ5h9Tpm4yb1g=; b=Iy+3Ci3CWyZ0v2QE2z5lPouciK+ztLqxQnkxM1aJxLW/epMTd7+R2jiM AmL8vbNI2Z2X0C1qLx1Tb5pJKbDKZhHLAI53hjjG8cdX7KHWRs6cbnluA 3s11+T8xfZsz0QG3c6n97yJHwIs4OSa85tb4gxDWKfjMFrwY37ZGjV/xw w=; X-IronPort-AV: E=Sophos;i="5.53,385,1531785600"; d="scan'208";a="697865831" Received: from iad6-co-svc-p1-lb1-vlan2.amazon.com (HELO email-inbound-relay-1d-74cf8b49.us-east-1.amazon.com) ([10.124.125.2]) by smtp-border-fw-out-2101.iad2.amazon.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 17 Sep 2018 15:12:47 +0000 Received: from uc85b765eaffb582d9166.ant.amazon.com (iad7-ws-svc-lb50-vlan2.amazon.com [10.0.93.210]) by email-inbound-relay-1d-74cf8b49.us-east-1.amazon.com (8.14.7/8.14.7) with ESMTP id w8HFCfQB008895 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 17 Sep 2018 15:12:43 GMT Received: from uc85b765eaffb582d9166.ant.amazon.com (localhost [127.0.0.1]) by uc85b765eaffb582d9166.ant.amazon.com (8.15.2/8.15.2/Debian-3) with ESMTP id w8HFCbV0022381; Mon, 17 Sep 2018 17:12:37 +0200 Received: (from snu@localhost) by uc85b765eaffb582d9166.ant.amazon.com (8.15.2/8.15.2/Submit) id w8HFCXS6022376; Mon, 17 Sep 2018 17:12:33 +0200 From: Stefan Nuernberger To: netdev@vger.kernel.org Cc: aams@amazon.de, yujuan.qi@mediatek.com, paul@paul-moore.com, Stefan Nuernberger , stable@vger.kernel.org Subject: [PATCH net] net/ipv4: defensive cipso option parsing Date: Mon, 17 Sep 2018 17:11:49 +0200 Message-Id: <20180917151149.22231-1-snu@amazon.com> X-Mailer: git-send-email 2.19.0 MIME-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org commit 40413955ee26 ("Cipso: cipso_v4_optptr enter infinite loop") fixed a possible infinite loop in the IP option parsing of CIPSO. The fix assumes that ip_options_compile filtered out all zero length options and that no other one-byte options beside IPOPT_END and IPOPT_NOOP exist. While this assumption currently holds true, add explicit checks for zero length and invalid length options to be safe for the future. Even though ip_options_compile should have validated the options, the introduction of new one-byte options can still confuse this code without the additional checks. Signed-off-by: Stefan Nuernberger Reviewed-by: David Woodhouse Reviewed-by: Simon Veith Cc: stable@vger.kernel.org --- net/ipv4/cipso_ipv4.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c index 82178cc69c96..f291b57b8474 100644 --- a/net/ipv4/cipso_ipv4.c +++ b/net/ipv4/cipso_ipv4.c @@ -1512,7 +1512,7 @@ static int cipso_v4_parsetag_loc(const struct cipso_v4_doi *doi_def, * * Description: * Parse the packet's IP header looking for a CIPSO option. Returns a pointer - * to the start of the CIPSO option on success, NULL if one if not found. + * to the start of the CIPSO option on success, NULL if one is not found. * */ unsigned char *cipso_v4_optptr(const struct sk_buff *skb) @@ -1522,9 +1522,11 @@ unsigned char *cipso_v4_optptr(const struct sk_buff *skb) int optlen; int taglen; - for (optlen = iph->ihl*4 - sizeof(struct iphdr); optlen > 0; ) { + for (optlen = iph->ihl*4 - sizeof(struct iphdr); optlen > 1; ) { switch (optptr[0]) { case IPOPT_CIPSO: + if (!optptr[1] || optptr[1] > optlen) + return NULL; return optptr; case IPOPT_END: return NULL; @@ -1534,6 +1536,10 @@ unsigned char *cipso_v4_optptr(const struct sk_buff *skb) default: taglen = optptr[1]; } + + if (!taglen || taglen > optlen) + break; + optlen -= taglen; optptr += taglen; }