From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Ido Schimmel <idosch@mellanox.com>,
Nikolay Aleksandrov <nikolay@cumulusnetworks.com>,
"David S . Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>,
netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.4 37/37] vxlan: Avoid infinite loop when suppressing NS messages with invalid options
Date: Mon, 8 Jun 2020 19:27:49 -0400 [thread overview]
Message-ID: <20200608232750.3370747-37-sashal@kernel.org> (raw)
In-Reply-To: <20200608232750.3370747-1-sashal@kernel.org>
From: Ido Schimmel <idosch@mellanox.com>
[ Upstream commit 8066e6b449e050675df48e7c4b16c29f00507ff0 ]
When proxy mode is enabled the vxlan device might reply to Neighbor
Solicitation (NS) messages on behalf of remote hosts.
In case the NS message includes the "Source link-layer address" option
[1], the vxlan device will use the specified address as the link-layer
destination address in its reply.
To avoid an infinite loop, break out of the options parsing loop when
encountering an option with length zero and disregard the NS message.
This is consistent with the IPv6 ndisc code and RFC 4886 which states
that "Nodes MUST silently discard an ND packet that contains an option
with length zero" [2].
[1] https://tools.ietf.org/html/rfc4861#section-4.3
[2] https://tools.ietf.org/html/rfc4861#section-4.6
Fixes: 4b29dba9c085 ("vxlan: fix nonfunctional neigh_reduce()")
Signed-off-by: Ido Schimmel <idosch@mellanox.com>
Acked-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/vxlan.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
index d6ae6d3c98ed..c12f2984d7ef 100644
--- a/drivers/net/vxlan.c
+++ b/drivers/net/vxlan.c
@@ -1476,6 +1476,10 @@ static struct sk_buff *vxlan_na_create(struct sk_buff *request,
daddr = eth_hdr(request)->h_source;
ns_olen = request->len - skb_transport_offset(request) - sizeof(*ns);
for (i = 0; i < ns_olen-1; i += (ns->opt[i+1]<<3)) {
+ if (!ns->opt[i + 1]) {
+ kfree_skb(reply);
+ return NULL;
+ }
if (ns->opt[i] == ND_OPT_SOURCE_LL_ADDR) {
daddr = ns->opt + i + sizeof(struct nd_opt_hdr);
break;
--
2.25.1
prev parent reply other threads:[~2020-06-08 23:37 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-08 23:27 [PATCH AUTOSEL 4.4 01/37] ath9x: Fix stack-out-of-bounds Write in ath9k_hif_usb_rx_cb Sasha Levin
2020-06-08 23:27 ` [PATCH AUTOSEL 4.4 02/37] ath9k: Fix use-after-free Write in ath9k_htc_rx_msg Sasha Levin
2020-06-08 23:27 ` [PATCH AUTOSEL 4.4 04/37] Bluetooth: Add SCO fallback for invalid LMP parameters error Sasha Levin
2020-06-08 23:27 ` [PATCH AUTOSEL 4.4 10/37] net: vmxnet3: fix possible buffer overflow caused by bad DMA value in vmxnet3_get_rss() Sasha Levin
2020-06-08 23:27 ` [PATCH AUTOSEL 4.4 12/37] ath9k: Fix use-after-free Read in ath9k_wmi_ctrl_rx Sasha Levin
2020-06-08 23:27 ` [PATCH AUTOSEL 4.4 13/37] ath9k: Fix general protection fault in ath9k_hif_usb_rx_cb Sasha Levin
2020-06-08 23:27 ` [PATCH AUTOSEL 4.4 14/37] e1000: Distribute switch variables for initialization Sasha Levin
2020-06-08 23:27 ` [PATCH AUTOSEL 4.4 17/37] netfilter: nft_nat: return EOPNOTSUPP if type or flags are not supported Sasha Levin
2020-06-08 23:27 ` [PATCH AUTOSEL 4.4 19/37] net: lpc-enet: fix error return code in lpc_mii_init() Sasha Levin
2020-06-08 23:27 ` [PATCH AUTOSEL 4.4 20/37] net: allwinner: Fix use correct return type for ndo_start_xmit() Sasha Levin
2020-06-08 23:27 ` [PATCH AUTOSEL 4.4 22/37] ath9k_htc: Silence undersized packet warnings Sasha Levin
2020-06-08 23:27 ` [PATCH AUTOSEL 4.4 26/37] mwifiex: Fix memory corruption in dump_station Sasha Levin
2020-06-08 23:27 ` [PATCH AUTOSEL 4.4 30/37] macvlan: Skip loopback packets in RX handler Sasha Levin
2020-06-08 23:27 ` [PATCH AUTOSEL 4.4 34/37] ixgbe: fix signed-integer-overflow warning Sasha Levin
2020-06-08 23:27 ` Sasha Levin [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200608232750.3370747-37-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=davem@davemloft.net \
--cc=idosch@mellanox.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=nikolay@cumulusnetworks.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).