[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAM_iQpX7mU7gogGx1peYMoOQbp0CZgYmTZJt=uGFm0c0gviY5A@mail.gmail.com>
Date: Wed, 23 Nov 2016 23:19:38 -0800
From: Cong Wang <xiyou.wangcong@...il.com>
To: Liyang Yu (于立洋1) <yuliyang1@...com>
Cc: "security@...nel.org" <security@...nel.org>,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
"cve-request@...re.org" <cve-request@...re.org>
Subject: Re: [scr265482] ip_tunnel.c
On Wed, Nov 23, 2016 at 6:47 PM, Liyang Yu (于立洋1) <yuliyang1@...com> wrote:
> Hi:
> I found that the GRE tunnel in same case can cause integer overflow in ip_tunnel.c:397
>
> Cause of the problem:
> When tpi->seq less than tunnel->i_seqno, the packet will be droped.
>
> How to recurrence problem
> 1. Create an tunnel use kernel GRE module.
> 2. Use the tunnel to send packets for awile.
> 3.Reboot one site of the tunnel.
> 4. Communication interrupted
What do you mean by "reboot one site of the tunnel"?
If you mean something like delete and create it again,
it has nothing related to integer overflow, the tunnel->o_seqno
will restart from 0 and the tunnel->i_seqno will remain as it is
since we can't detect the interruption of the tunnel traffic.
If so, the following patch could help?
diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c
index 5719d6b..2738ff2 100644
--- a/net/ipv4/ip_tunnel.c
+++ b/net/ipv4/ip_tunnel.c
@@ -277,6 +277,7 @@ static struct net_device
*__ip_tunnel_create(struct net *net,
tunnel = netdev_priv(dev);
tunnel->parms = *parms;
tunnel->net = net;
+ tunnel->o_seqno = UINT_MAX;
err = register_netdevice(dev);
if (err)
Powered by blists - more mailing lists