stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Tadeusz Struk <tadeusz.struk@linaro.org>
To: Willem de Bruijn <willemdebruijn.kernel@gmail.com>,
	Jakub Kicinski <kuba@kernel.org>
Cc: David Miller <davem@davemloft.net>,
	Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
	David Ahern <dsahern@kernel.org>,
	Alexei Starovoitov <ast@kernel.org>,
	Daniel Borkmann <daniel@iogearbox.net>,
	Andrii Nakryiko <andrii@kernel.org>,
	Martin KaFai Lau <kafai@fb.com>, Song Liu <songliubraving@fb.com>,
	Yonghong Song <yhs@fb.com>,
	John Fastabend <john.fastabend@gmail.com>,
	KP Singh <kpsingh@kernel.org>,
	Network Development <netdev@vger.kernel.org>,
	bpf <bpf@vger.kernel.org>, LKML <linux-kernel@vger.kernel.org>,
	stable <stable@vger.kernel.org>,
	syzbot+e223cf47ec8ae183f2a0@syzkaller.appspotmail.com,
	Willem de Bruijn <willemb@google.com>
Subject: Re: [PATCH v2] net: ipv6: fix skb_over_panic in __ip6_append_data
Date: Thu, 10 Mar 2022 15:04:14 -0800	[thread overview]
Message-ID: <77a44185-c9cd-21f5-125f-b8eec7a66537@linaro.org> (raw)
In-Reply-To: <CAF=yD-LrVjvY8wAqZtUTFS8V9ng2AD3jB1DOZvkagPOp3Sbq-g@mail.gmail.com>

On 3/10/22 14:43, Willem de Bruijn wrote:
> On Thu, Mar 10, 2022 at 5:30 PM Jakub Kicinski <kuba@kernel.org> wrote:
>>
>> On Thu, 10 Mar 2022 14:13:28 -0800 Tadeusz Struk wrote:
>>> diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
>>> index 4788f6b37053..6d45112322a0 100644
>>> --- a/net/ipv6/ip6_output.c
>>> +++ b/net/ipv6/ip6_output.c
>>> @@ -1649,6 +1649,16 @@ static int __ip6_append_data(struct sock *sk,
>>>                        skb->protocol = htons(ETH_P_IPV6);
>>>                        skb->ip_summed = csummode;
>>>                        skb->csum = 0;
>>> +
>>> +                     /*
>>> +                      *      Check if there is still room for payload
>>> +                      */
>>
>> TBH I think the check is self-explanatory. Not worth a banner comment,
>> for sure.
>>
>>> +                     if (fragheaderlen >= mtu) {
>>> +                             err = -EMSGSIZE;
>>> +                             kfree_skb(skb);
>>> +                             goto error;
>>> +                     }
>>
>> Not sure if Willem prefers this placement, but seems like we can lift
>> this check out of the loop, as soon as fragheaderlen and mtu are known.
>>
>>>                        /* reserve for fragmentation and ipsec header */
>>>                        skb_reserve(skb, hh_len + sizeof(struct frag_hdr) +
>>>                                    dst_exthdrlen);
> 
> Just updating this boundary check will do?
> 
>          if (mtu < fragheaderlen ||
>              ((mtu - fragheaderlen) & ~7) + fragheaderlen <
> sizeof(struct frag_hdr))
>                  goto emsgsize;

Yes, it will. v3 on its way.

-- 
Thanks,
Tadeusz

  reply	other threads:[~2022-03-10 23:04 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-03-08  0:01 [PATCH] net: ipv6: fix invalid alloclen in __ip6_append_data Tadeusz Struk
2022-03-08  2:58 ` David Laight
2022-03-08 15:43   ` Tadeusz Struk
2022-03-08 18:18     ` David Ahern
2022-03-08 19:46       ` Tadeusz Struk
2022-03-09  5:01         ` David Ahern
2022-03-09 21:37           ` Tadeusz Struk
2022-03-10 14:39             ` Willem de Bruijn
2022-03-10 16:06               ` Tadeusz Struk
2022-03-10 17:32                 ` Willem de Bruijn
2022-03-10 21:14                   ` Tadeusz Struk
2022-03-10 22:13                   ` [PATCH v2] net: ipv6: fix skb_over_panic " Tadeusz Struk
2022-03-10 22:18                     ` David Laight
2022-03-10 22:30                     ` Jakub Kicinski
2022-03-10 22:42                       ` Tadeusz Struk
2022-03-10 22:43                       ` Willem de Bruijn
2022-03-10 23:04                         ` Tadeusz Struk [this message]
2022-03-10 23:05                         ` David Laight
2022-03-10 23:25                         ` [PATCH v3] " Tadeusz Struk
2022-03-11  1:49                           ` Willem de Bruijn
2022-03-11  3:43                             ` Tadeusz Struk
2022-03-12  1:40                           ` patchwork-bot+netdevbpf

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=77a44185-c9cd-21f5-125f-b8eec7a66537@linaro.org \
    --to=tadeusz.struk@linaro.org \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=davem@davemloft.net \
    --cc=dsahern@kernel.org \
    --cc=john.fastabend@gmail.com \
    --cc=kafai@fb.com \
    --cc=kpsingh@kernel.org \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=songliubraving@fb.com \
    --cc=stable@vger.kernel.org \
    --cc=syzbot+e223cf47ec8ae183f2a0@syzkaller.appspotmail.com \
    --cc=willemb@google.com \
    --cc=willemdebruijn.kernel@gmail.com \
    --cc=yhs@fb.com \
    --cc=yoshfuji@linux-ipv6.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).