From mboxrd@z Thu Jan  1 00:00:00 1970
From: Jiri Benc <jbenc@redhat.com>
Subject: Re: [PATCH net] nsh: fix infinite loop
Date: Fri, 4 May 2018 09:23:59 +0200
Message-ID: <20180504092359.7a78a74a@redhat.com>
References: <20180503203754.60611-1-edumazet@google.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Cc: "David S . Miller" <davem@davemloft.net>,
        netdev <netdev@vger.kernel.org>,
        Eric Dumazet <eric.dumazet@gmail.com>
To: Eric Dumazet <edumazet@google.com>
Return-path: <netdev-owner@vger.kernel.org>
Received: from mx3-rdu2.redhat.com ([66.187.233.73]:49612 "EHLO mx1.redhat.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1751189AbeEDHYH (ORCPT <rfc822;netdev@vger.kernel.org>);
        Fri, 4 May 2018 03:24:07 -0400
In-Reply-To: <20180503203754.60611-1-edumazet@google.com>
Sender: netdev-owner@vger.kernel.org
List-ID: <netdev.vger.kernel.org>

On Thu,  3 May 2018 13:37:54 -0700, Eric Dumazet wrote:
> diff --git a/net/nsh/nsh.c b/net/nsh/nsh.c
> index d7da99a0b0b852d7459eed9ac6d3cdf3d49a1a1c..9696ef96b719bf24625adea2a959deac1d2a975f 100644
> --- a/net/nsh/nsh.c
> +++ b/net/nsh/nsh.c
> @@ -57,6 +57,8 @@ int nsh_pop(struct sk_buff *skb)
>  		return -ENOMEM;
>  	nh = (struct nshhdr *)(skb->data);
>  	length = nsh_hdr_len(nh);
> +	if (length < NSH_BASE_HDR_LEN)
> +		return -EINVAL;
>  	inner_proto = tun_p_to_eth_p(nh->np);
>  	if (!pskb_may_pull(skb, length))
>  		return -ENOMEM;
> @@ -90,6 +92,8 @@ static struct sk_buff *nsh_gso_segment(struct sk_buff *skb,
>  	if (unlikely(!pskb_may_pull(skb, NSH_BASE_HDR_LEN)))
>  		goto out;
>  	nsh_len = nsh_hdr_len(nsh_hdr(skb));
> +	if (nsh_len < NSH_BASE_HDR_LEN)
> +		goto out;
>  	if (unlikely(!pskb_may_pull(skb, nsh_len)))
>  		goto out;
>  

Acked-by: Jiri Benc <jbenc@redhat.com>

Thanks, Eric, and shame on me!

 Jiri