| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20161024150712.5133-1-elicooper@gmx.com>
Date: Mon, 24 Oct 2016 23:07:12 +0800
From: Eli Cooper <elicooper@....com>
To: netdev@...r.kernel.org, "David S . Miller" <davem@...emloft.net>
Subject: [PATCH] ip6_tunnel: Clear IP6CB(skb)->frag_max_size in ip4ip6_tnl_xmit()
skb->cb may contain data from previous layers, as shown in 5146d1f1511
("tunnel: Clear IPCB(skb)->opt before dst_link_failure called").
However, for ipip6 tunnels, clearing IPCB(skb)->opt alone is not enough,
because skb->cb is later misinterpreted as IP6CB(skb)->frag_max_size.
In the observed scenario, the garbage data made the max fragment size so
so small that packets sent through the tunnel are mistakenly fragmented.
This patch clears IP6CB(skb)->frag_max_size for ipip6 tunnels.
Signed-off-by: Eli Cooper <elicooper@....com>
---
net/ipv6/ip6_tunnel.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
index 202d16a..4110562 100644
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -1205,6 +1205,7 @@ ip4ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev)
int err;
memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
+ IP6CB(skb)->frag_max_size = 0;
tproto = ACCESS_ONCE(t->parms.proto);
if (tproto != IPPROTO_IPIP && tproto != 0)
--
2.10.1
Powered by blists - more mailing lists