From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Jordy Zomer <jordy@pwning.systems>,
"David S . Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>,
steffen.klassert@secunet.com, yoshfuji@linux-ipv6.org,
dsahern@kernel.org, kuba@kernel.org, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 5.15 30/39] ipv6: check return value of ipv6_skip_exthdr
Date: Thu, 25 Nov 2021 21:31:47 -0500 [thread overview]
Message-ID: <20211126023156.441292-30-sashal@kernel.org> (raw)
In-Reply-To: <20211126023156.441292-1-sashal@kernel.org>
From: Jordy Zomer <jordy@pwning.systems>
[ Upstream commit 5f9c55c8066bcd93ac25234a02585701fe2e31df ]
The offset value is used in pointer math on skb->data.
Since ipv6_skip_exthdr may return -1 the pointer to uh and th
may not point to the actual udp and tcp headers and potentially
overwrite other stuff. This is why I think this should be checked.
EDIT: added {}'s, thanks Kees
Signed-off-by: Jordy Zomer <jordy@pwning.systems>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/esp6.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
index ed2f061b87685..f0bac6f7ab6bb 100644
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -808,6 +808,12 @@ int esp6_input_done2(struct sk_buff *skb, int err)
struct tcphdr *th;
offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
+
+ if (offset < 0) {
+ err = -EINVAL;
+ goto out;
+ }
+
uh = (void *)(skb->data + offset);
th = (void *)(skb->data + offset);
hdr_len += offset;
--
2.33.0
next prev parent reply other threads:[~2021-11-26 2:36 UTC|newest]
Thread overview: 60+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-26 2:31 [PATCH AUTOSEL 5.15 01/39] gfs2: release iopen glock early in evict Sasha Levin
2021-11-26 2:31 ` [Cluster-devel] " Sasha Levin
2021-11-26 2:31 ` [PATCH AUTOSEL 5.15 02/39] gfs2: Fix length of holes reported at end-of-file Sasha Levin
2021-11-26 2:31 ` [Cluster-devel] " Sasha Levin
2021-11-26 2:31 ` [PATCH AUTOSEL 5.15 03/39] powerpc/pseries/ddw: Revert "Extend upper limit for huge DMA window for persistent memory" Sasha Levin
2021-11-26 2:31 ` Sasha Levin
2021-11-26 2:31 ` [PATCH AUTOSEL 5.15 04/39] powerpc/pseries/ddw: Do not try direct mapping with persistent memory and one window Sasha Levin
2021-11-26 2:31 ` Sasha Levin
2021-11-26 2:31 ` [PATCH AUTOSEL 5.15 05/39] drm/sun4i: fix unmet dependency on RESET_CONTROLLER for PHY_SUN6I_MIPI_DPHY Sasha Levin
2021-11-26 2:31 ` Sasha Levin
2021-11-26 2:31 ` Sasha Levin
2021-11-26 2:31 ` [PATCH AUTOSEL 5.15 06/39] mac80211: do not access the IV when it was stripped Sasha Levin
2021-11-26 2:31 ` Sasha Levin
2021-11-26 2:31 ` Sasha Levin
2021-11-26 2:31 ` [PATCH AUTOSEL 5.15 07/39] mac80211: fix throughput LED trigger Sasha Levin
2021-11-26 2:31 ` [PATCH AUTOSEL 5.15 08/39] x86/hyperv: Move required MSRs check to initial platform probing Sasha Levin
2021-11-26 2:31 ` [PATCH AUTOSEL 5.15 09/39] tun: fix bonding active backup with arp monitoring Sasha Levin
2021-11-26 2:31 ` [PATCH AUTOSEL 5.15 10/39] net/smc: Transfer remaining wait queue entries during fallback Sasha Levin
2021-11-26 2:51 ` Jakub Kicinski
2021-12-03 18:20 ` Sasha Levin
2021-11-26 2:31 ` [PATCH AUTOSEL 5.15 11/39] atlantic: Fix OOB read and write in hw_atl_utils_fw_rpc_wait Sasha Levin
2021-11-26 2:31 ` [PATCH AUTOSEL 5.15 12/39] net: return correct error code Sasha Levin
2021-11-26 2:31 ` [PATCH AUTOSEL 5.15 13/39] pinctrl: qcom: fix unmet dependencies on GPIOLIB for GPIOLIB_IRQCHIP Sasha Levin
2021-11-26 2:31 ` [PATCH AUTOSEL 5.15 14/39] blk-mq: cancel blk-mq dispatch work in both blk_cleanup_queue and disk_release() Sasha Levin
2021-11-26 2:31 ` [PATCH AUTOSEL 5.15 15/39] platform/x86: dell-wmi-descriptor: disable by default Sasha Levin
2021-11-26 2:31 ` [PATCH AUTOSEL 5.15 16/39] platform/x86: thinkpad_acpi: Add support for dual fan control Sasha Levin
2021-11-26 2:31 ` [PATCH AUTOSEL 5.15 17/39] platform/x86: thinkpad_acpi: Fix WWAN device disabled issue after S3 deep Sasha Levin
2021-11-26 2:31 ` [PATCH AUTOSEL 5.15 18/39] s390/setup: avoid using memblock_enforce_memory_limit Sasha Levin
2021-11-26 2:31 ` [PATCH AUTOSEL 5.15 19/39] btrfs: silence lockdep when reading chunk tree during mount Sasha Levin
2021-11-26 2:31 ` [PATCH AUTOSEL 5.15 20/39] btrfs: check-integrity: fix a warning on write caching disabled disk Sasha Levin
2021-11-26 2:31 ` [PATCH AUTOSEL 5.15 21/39] thermal: core: Reset previous low and high trip during thermal zone init Sasha Levin
2021-11-26 2:31 ` [PATCH AUTOSEL 5.15 22/39] scsi: iscsi: Unblock session then wake up error handler Sasha Levin
2021-11-26 2:31 ` [PATCH AUTOSEL 5.15 23/39] net: usb: r8152: Add MAC passthrough support for more Lenovo Docks Sasha Levin
2021-11-28 9:49 ` Sergey Shtylyov
2021-11-28 9:50 ` Sergey Shtylyov
2021-11-26 2:31 ` [PATCH AUTOSEL 5.15 24/39] drm/amd/pm: Remove artificial freq level on Navi1x Sasha Levin
2021-11-26 2:31 ` Sasha Levin
2021-11-26 2:31 ` Sasha Levin
2021-11-26 2:31 ` [PATCH AUTOSEL 5.15 25/39] drm/amd/amdkfd: Fix kernel panic when reset failed and been triggered again Sasha Levin
2021-11-26 2:31 ` Sasha Levin
2021-11-26 2:31 ` Sasha Levin
2021-11-26 2:31 ` [PATCH AUTOSEL 5.15 26/39] drm/amd/amdgpu: fix potential memleak Sasha Levin
2021-11-26 2:31 ` Sasha Levin
2021-11-26 2:31 ` Sasha Levin
2021-11-26 2:31 ` [PATCH AUTOSEL 5.15 27/39] ata: ahci: Add Green Sardine vendor ID as board_ahci_mobile Sasha Levin
2021-11-29 14:46 ` Limonciello, Mario
2021-11-26 2:31 ` [PATCH AUTOSEL 5.15 28/39] ata: libahci: Adjust behavior when StorageD3Enable _DSD is set Sasha Levin
2021-11-29 14:46 ` Limonciello, Mario
2021-11-26 2:31 ` [PATCH AUTOSEL 5.15 29/39] ethernet: hisilicon: hns: hns_dsaf_misc: fix a possible array overflow in hns_dsaf_ge_srst_by_port() Sasha Levin
2021-11-26 2:31 ` Sasha Levin [this message]
2021-11-26 2:31 ` [PATCH AUTOSEL 5.15 31/39] net: tulip: de4x5: fix the problem that the array 'lp->phy[8]' may be out of bound Sasha Levin
2021-11-26 2:31 ` [PATCH AUTOSEL 5.15 32/39] net: ethernet: dec: tulip: de4x5: fix possible array overflows in type3_infoblock() Sasha Levin
2021-11-26 2:31 ` [PATCH AUTOSEL 5.15 33/39] perf sort: Fix the 'weight' sort key behavior Sasha Levin
2021-11-26 2:31 ` [PATCH AUTOSEL 5.15 34/39] perf sort: Fix the 'ins_lat' " Sasha Levin
2021-11-26 2:31 ` [PATCH AUTOSEL 5.15 35/39] perf sort: Fix the 'p_stage_cyc' " Sasha Levin
2021-11-26 2:31 ` [PATCH AUTOSEL 5.15 36/39] perf inject: Fix ARM SPE handling Sasha Levin
2021-11-26 2:31 ` Sasha Levin
2021-11-26 2:31 ` [PATCH AUTOSEL 5.15 37/39] perf hist: Fix memory leak of a perf_hpp_fmt Sasha Levin
2021-11-26 2:31 ` [PATCH AUTOSEL 5.15 38/39] perf report: Fix memory leaks around perf_tip() Sasha Levin
2021-11-26 2:31 ` [PATCH AUTOSEL 5.15 39/39] tracing: Don't use out-of-sync va_list in event printing Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211126023156.441292-30-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=jordy@pwning.systems \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=steffen.klassert@secunet.com \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.