| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <a1be0201b5fe7e7570800956425063d672f7ab83.camel@redhat.com>
Date: Mon, 24 Sep 2018 13:03:17 +0200
From: Paolo Abeni <pabeni@...hat.com>
To: Cong Wang <xiyou.wangcong@...il.com>
Cc: Linux Kernel Network Developers <netdev@...r.kernel.org>,
David Miller <davem@...emloft.net>,
Alexander Potapenko <glider@...gle.com>
Subject: Re: [PATCH net] ip6_tunnel: be careful when accessing the inner
header
On Fri, 2018-09-21 at 11:51 -0700, Cong Wang wrote:
> On Wed, Sep 19, 2018 at 6:04 AM Paolo Abeni <pabeni@...hat.com> wrote:
> > diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
> > index 419960b0ba16..a0b6932c3afd 100644
> > --- a/net/ipv6/ip6_tunnel.c
> > +++ b/net/ipv6/ip6_tunnel.c
> > @@ -1234,7 +1234,7 @@ static inline int
> > ip4ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev)
> > {
> > struct ip6_tnl *t = netdev_priv(dev);
> > - const struct iphdr *iph = ip_hdr(skb);
> > + const struct iphdr *iph;
> > int encap_limit = -1;
> > struct flowi6 fl6;
> > __u8 dsfield;
> > @@ -1242,6 +1242,11 @@ ip4ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev)
> > u8 tproto;
> > int err;
> >
> > + /* ensure we can access the full inner ip header */
> > + if (!pskb_may_pull(skb, sizeof(struct iphdr)))
> > + return -1;
> > +
> > + iph = ip_hdr(skb);
>
> Hmm...
>
> How do IPv4 tunnels ensure they have the right inner header to access?
> ip_tunnel_xmit() uses skb_inner_network_header() to access inner header
> which doesn't have any check either AFAIK.
You are right, I think we need similar checks for ip_tunnel_xmit(),
too.
I'll try to cook a patch.
Cheers,
Paolo
Powered by blists - more mailing lists