From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Sabrina Dubroca <sd@queasysnail.net>,
Steffen Klassert <steffen.klassert@secunet.com>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.19 087/114] esp4: add length check for UDP encapsulation
Date: Thu, 23 May 2019 21:06:26 +0200 [thread overview]
Message-ID: <20190523181739.478982228@linuxfoundation.org> (raw)
In-Reply-To: <20190523181731.372074275@linuxfoundation.org>
[ Upstream commit 8dfb4eba4100e7cdd161a8baef2d8d61b7a7e62e ]
esp_output_udp_encap can produce a length that doesn't fit in the 16
bits of a UDP header's length field. In that case, we'll send a
fragmented packet whose length is larger than IP_MAX_MTU (resulting in
"Oversized IP packet" warnings on receive) and with a bogus UDP
length.
To prevent this, add a length check to esp_output_udp_encap and return
-EMSGSIZE on failure.
This seems to be older than git history.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/esp4.c | 20 +++++++++++++++-----
1 file changed, 15 insertions(+), 5 deletions(-)
diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
index 12a43a5369a54..114f9def1ec54 100644
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -223,7 +223,7 @@ static void esp_output_fill_trailer(u8 *tail, int tfclen, int plen, __u8 proto)
tail[plen - 1] = proto;
}
-static void esp_output_udp_encap(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *esp)
+static int esp_output_udp_encap(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *esp)
{
int encap_type;
struct udphdr *uh;
@@ -231,6 +231,7 @@ static void esp_output_udp_encap(struct xfrm_state *x, struct sk_buff *skb, stru
__be16 sport, dport;
struct xfrm_encap_tmpl *encap = x->encap;
struct ip_esp_hdr *esph = esp->esph;
+ unsigned int len;
spin_lock_bh(&x->lock);
sport = encap->encap_sport;
@@ -238,11 +239,14 @@ static void esp_output_udp_encap(struct xfrm_state *x, struct sk_buff *skb, stru
encap_type = encap->encap_type;
spin_unlock_bh(&x->lock);
+ len = skb->len + esp->tailen - skb_transport_offset(skb);
+ if (len + sizeof(struct iphdr) >= IP_MAX_MTU)
+ return -EMSGSIZE;
+
uh = (struct udphdr *)esph;
uh->source = sport;
uh->dest = dport;
- uh->len = htons(skb->len + esp->tailen
- - skb_transport_offset(skb));
+ uh->len = htons(len);
uh->check = 0;
switch (encap_type) {
@@ -259,6 +263,8 @@ static void esp_output_udp_encap(struct xfrm_state *x, struct sk_buff *skb, stru
*skb_mac_header(skb) = IPPROTO_UDP;
esp->esph = esph;
+
+ return 0;
}
int esp_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *esp)
@@ -272,8 +278,12 @@ int esp_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *
int tailen = esp->tailen;
/* this is non-NULL only with UDP Encapsulation */
- if (x->encap)
- esp_output_udp_encap(x, skb, esp);
+ if (x->encap) {
+ int err = esp_output_udp_encap(x, skb, esp);
+
+ if (err < 0)
+ return err;
+ }
if (!skb_cloned(skb)) {
if (tailen <= skb_tailroom(skb)) {
--
2.20.1
next prev parent reply other threads:[~2019-05-23 19:18 UTC|newest]
Thread overview: 127+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-23 19:04 [PATCH 4.19 000/114] 4.19.46-stable review Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.19 001/114] ipv6: fix src addr routing with the exception table Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.19 002/114] ipv6: prevent possible fib6 leaks Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.19 003/114] net: Always descend into dsa/ Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.19 004/114] net: avoid weird emergency message Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.19 005/114] net/mlx4_core: Change the error print to info print Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.19 006/114] net: test nouarg before dereferencing zerocopy pointers Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.19 007/114] net: usb: qmi_wwan: add Telit 0x1260 and 0x1261 compositions Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.19 008/114] nfp: flower: add rcu locks when accessing netdev for tunnels Greg Kroah-Hartman
2019-05-25 12:11 ` Pavel Machek
2019-05-23 19:05 ` [PATCH 4.19 009/114] ppp: deflate: Fix possible crash in deflate_init Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.19 010/114] rtnetlink: always put IFLA_LINK for links with a link-netnsid Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.19 011/114] tipc: switch order of device registration to fix a crash Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.19 012/114] vsock/virtio: free packets during the socket release Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.19 013/114] tipc: fix modprobe tipc failed after switch order of device registration Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.19 014/114] vsock/virtio: Initialize core virtio vsock before registering the driver Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.19 015/114] net/mlx5: Imply MLXFW in mlx5_core Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.19 016/114] net/mlx5e: Fix ethtool rxfh commands when CONFIG_MLX5_EN_RXNFC is disabled Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.19 017/114] parisc: Export running_on_qemu symbol for modules Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.19 018/114] parisc: Skip registering LED when running in QEMU Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.19 019/114] parisc: Use PA_ASM_LEVEL in boot code Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.19 020/114] parisc: Rename LEVEL to PA_ASM_LEVEL to avoid name clash with DRBD code Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.19 021/114] stm class: Fix channel free in stm output free path Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.19 022/114] stm class: Fix channel bitmap on 32-bit systems Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.19 023/114] brd: re-enable __GFP_HIGHMEM in brd_insert_page() Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.19 024/114] proc: prevent changes to overridden credentials Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.19 025/114] Revert "MD: fix lock contention for flush bios" Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.19 026/114] md: batch flush requests Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.19 027/114] md: add mddev->pers to avoid potential NULL pointer dereference Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.19 028/114] dcache: sort the freeing-without-RCU-delay mess for good Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.19 029/114] intel_th: msu: Fix single mode with IOMMU Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.19 030/114] p54: drop device reference count if fails to enable device Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.19 031/114] of: fix clang -Wunsequenced for be32_to_cpu() Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.19 032/114] cifs: fix strcat buffer overflow and reduce raciness in smb21_set_oplock_level() Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.19 033/114] phy: ti-pipe3: fix missing bit-wise or operator when assigning val Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.19 034/114] media: ov6650: Fix sensor possibly not detected on probe Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.19 035/114] media: imx: csi: Allow unknown nearest upstream entities Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.19 036/114] media: imx: Clear fwnode link struct for each endpoint iteration Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.19 037/114] NFS4: Fix v4.0 client state corruption when mount Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.19 038/114] PNFS fallback to MDS if no deviceid found Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.19 039/114] clk: hi3660: Mark clk_gate_ufs_subsys as critical Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.19 040/114] clk: tegra: Fix PLLM programming on Tegra124+ when PMC overrides divider Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.19 041/114] clk: mediatek: Disable tuner_en before change PLL rate Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.19 042/114] clk: rockchip: fix wrong clock definitions for rk3328 Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.19 043/114] udlfb: delete the unused parameter for dlfb_handle_damage Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.19 044/114] udlfb: fix sleeping inside spinlock Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.19 045/114] udlfb: introduce a rendering mutex Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.19 046/114] fuse: fix writepages on 32bit Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.19 047/114] fuse: honor RLIMIT_FSIZE in fuse_file_fallocate Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.19 048/114] ovl: fix missing upper fs freeze protection on copy up for ioctl Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.19 049/114] iommu/tegra-smmu: Fix invalid ASID bits on Tegra30/114 Greg Kroah-Hartman
2019-05-27 15:46 ` Pavel Machek
2019-05-27 17:12 ` Dmitry Osipenko
2019-05-23 19:05 ` [PATCH 4.19 050/114] ceph: flush dirty inodes before proceeding with remount Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.19 051/114] x86_64: Add gap to int3 to allow for call emulation Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.19 052/114] x86_64: Allow breakpoints to emulate call instructions Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.19 053/114] ftrace/x86_64: Emulate call function while updating in breakpoint handler Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.19 054/114] tracing: Fix partial reading of trace events id file Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.19 055/114] memory: tegra: Fix integer overflow on tick value calculation Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.19 056/114] perf intel-pt: Fix instructions sampling rate Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.19 057/114] perf intel-pt: Fix improved sample timestamp Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.19 058/114] perf intel-pt: Fix sample timestamp wrt non-taken branches Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.19 059/114] MIPS: perf: Fix build with CONFIG_CPU_BMIPS5000 enabled Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 4.19 060/114] objtool: Allow AR to be overridden with HOSTAR Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.19 061/114] fbdev/efifb: Ignore framebuffer memmap entries that lack any memory types Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.19 062/114] fbdev: sm712fb: fix brightness control on reboot, dont set SR30 Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.19 063/114] fbdev: sm712fb: fix VRAM detection, dont set SR70/71/74/75 Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.19 064/114] fbdev: sm712fb: fix white screen of death on reboot, dont set CR3B-CR3F Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.19 065/114] fbdev: sm712fb: fix boot screen glitch when sm712fb replaces VGA Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.19 066/114] fbdev: sm712fb: fix crashes during framebuffer writes by correctly mapping VRAM Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.19 067/114] fbdev: sm712fb: fix support for 1024x768-16 mode Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.19 068/114] fbdev: sm712fb: use 1024x768 by default on non-MIPS, fix garbled display Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.19 069/114] fbdev: sm712fb: fix crashes and garbled display during DPMS modesetting Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.19 070/114] PCI: Mark AMD Stoney Radeon R7 GPU ATS as broken Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.19 071/114] PCI: Mark Atheros AR9462 to avoid bus reset Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.19 072/114] PCI: Init PCIe feature bits for managed host bridge alloc Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.19 073/114] PCI/AER: Change pci_aer_init() stub to return void Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.19 074/114] PCI: rcar: Add the initialization of PCIe link in resume_noirq() Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.19 075/114] PCI: Factor out pcie_retrain_link() function Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.19 076/114] PCI: Work around Pericom PCIe-to-PCI bridge Retrain Link erratum Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.19 077/114] dm cache metadata: Fix loading discard bitset Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.19 078/114] dm zoned: Fix zone report handling Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.19 079/114] dm delay: fix a crash when invalid device is specified Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.19 080/114] dm integrity: correctly calculate the size of metadata area Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.19 081/114] dm mpath: always free attached_handler_name in parse_path() Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.19 082/114] fuse: Add FOPEN_STREAM to use stream_open() Greg Kroah-Hartman
2019-05-28 11:16 ` Pavel Machek
2019-05-28 18:47 ` Kirill Smelkov
2019-05-23 19:06 ` [PATCH 4.19 083/114] xfrm: policy: Fix out-of-bound array accesses in __xfrm_policy_unlink Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.19 084/114] xfrm6_tunnel: Fix potential panic when unloading xfrm6_tunnel module Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.19 085/114] vti4: ipip tunnel deregistration fixes Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.19 086/114] xfrm: clean up xfrm protocol checks Greg Kroah-Hartman
2019-05-23 19:06 ` Greg Kroah-Hartman [this message]
2019-05-23 19:06 ` [PATCH 4.19 088/114] xfrm: Honor original L3 slave device in xfrmi policy lookup Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.19 089/114] xfrm4: Fix uninitialized memory read in _decode_session4 Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.19 090/114] clk: sunxi-ng: nkmp: Avoid GENMASK(-1, 0) Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.19 091/114] power: supply: cpcap-battery: Fix division by zero Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.19 092/114] securityfs: fix use-after-free on symlink traversal Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.19 093/114] apparmorfs: " Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.19 094/114] PCI: Fix issue with "pci=disable_acs_redir" parameter being ignored Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.19 095/114] x86: kvm: hyper-v: deal with buggy TLB flush requests from WS2012 Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.19 096/114] mac80211: Fix kernel panic due to use of txq after free Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.19 097/114] net: ieee802154: fix missing checks for regmap_update_bits Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.19 098/114] KVM: arm/arm64: Ensure vcpu target is unset on reset failure Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.19 099/114] power: supply: sysfs: prevent endless uevent loop with CONFIG_POWER_SUPPLY_DEBUG Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.19 100/114] bpf: Fix preempt_enable_no_resched() abuse Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.19 101/114] qmi_wwan: new Wistron, ZTE and D-Link devices Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.19 102/114] iwlwifi: mvm: check for length correctness in iwl_mvm_create_skb() Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.19 103/114] sched/cpufreq: Fix kobject memleak Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.19 104/114] x86/mm/mem_encrypt: Disable all instrumentation for early SME setup Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.19 105/114] ufs: fix braino in ufs_get_inode_gid() for solaris UFS flavour Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.19 106/114] perf bench numa: Add define for RUSAGE_THREAD if not present Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.19 107/114] perf/x86/intel: Fix race in intel_pmu_disable_event() Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.19 108/114] Revert "Dont jump to compute_result state from check_result state" Greg Kroah-Hartman
2019-05-25 12:08 ` Pavel Machek
2019-05-25 16:07 ` Greg Kroah-Hartman
2019-05-25 17:17 ` Song Liu
2019-05-23 19:06 ` [PATCH 4.19 109/114] md/raid: raid5 preserve the writeback action after the parity check Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.19 110/114] driver core: Postpone DMA tear-down until after devres release for probe failure Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.19 111/114] Revert "selftests/bpf: skip verifier tests for unsupported program types" Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.19 112/114] bpf: relax inode permission check for retrieving bpf program Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.19 113/114] bpf: add map_lookup_elem_sys_only for lookups from syscall side Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 4.19 114/114] bpf, lru: avoid messing with eviction heuristics upon syscall lookup Greg Kroah-Hartman
2019-05-24 3:48 ` [PATCH 4.19 000/114] 4.19.46-stable review kernelci.org bot
2019-05-24 8:48 ` Naresh Kamboju
2019-05-24 11:04 ` Jon Hunter
2019-05-24 18:55 ` shuah
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190523181739.478982228@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=sd@queasysnail.net \
--cc=stable@vger.kernel.org \
--cc=steffen.klassert@secunet.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).