| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1478807366.8455.21.camel@edumazet-glaptop3.roam.corp.google.com>
Date: Thu, 10 Nov 2016 11:49:26 -0800
From: Eric Dumazet <eric.dumazet@...il.com>
To: Vladis Dronov <vdronov@...hat.com>
Cc: netdev@...r.kernel.org, stable@...r.kernel.org,
Marco Grassi <marco.gra@...il.com>
Subject: Re: BUG() can be hit in tcp_collapse()
On Thu, 2016-11-10 at 11:26 -0800, Eric Dumazet wrote:
> The issue is that sk_filter() truncates an incoming packet to a smaller
> value.
>
> Bad things happen because TCP_SKB_CB(skb)->end_seq is not updated.
>
> I guess other issues would also happen if the truncation also removes
> part of tcp header.
>
> sk_filter_trim_cap(sk, skb, tcp_hlen) would be needed,
> or sk_filter_trim_cap(sk, skb, skb->len) to only ACCEPT/DROP packets,
> but no truncations.
Something like :
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 61b7be303eec..0b8f575eefaa 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -1676,7 +1676,7 @@ int tcp_v4_rcv(struct sk_buff *skb)
nf_reset(skb);
- if (sk_filter(sk, skb))
+ if (sk_filter_trim_cap(sk, skb, skb->len))
goto discard_and_relse;
skb->dev = NULL;
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 6ca23c2e76f7..2c7a6f7f1113 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -1229,7 +1229,7 @@ static int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb)
if (skb->protocol == htons(ETH_P_IP))
return tcp_v4_do_rcv(sk, skb);
- if (sk_filter(sk, skb))
+ if (sk_filter_trim_cap(sk, skb, skb->len))
goto discard;
/*
Powered by blists - more mailing lists