[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 07 Jul 2020 15:49:10 -0700 (PDT)
From: David Miller <davem@...emloft.net>
To: toke@...hat.com
Cc: netdev@...r.kernel.org, cake@...ts.bufferbloat.net,
dcaratti@...hat.com, jiri@...nulli.us, jhs@...atatu.com,
xiyou.wangcong@...il.com, toshiaki.makita1@...il.com,
daniel@...earbox.net
Subject: Re: [PATCH net v2] vlan: consolidate VLAN parsing code and limit
max parsing depth
From: Toke Høiland-Jørgensen <toke@...hat.com>
Date: Tue, 7 Jul 2020 13:03:25 +0200
> Toshiaki pointed out that we now have two very similar functions to extract
> the L3 protocol number in the presence of VLAN tags. And Daniel pointed out
> that the unbounded parsing loop makes it possible for maliciously crafted
> packets to loop through potentially hundreds of tags.
>
> Fix both of these issues by consolidating the two parsing functions and
> limiting the VLAN tag parsing to a max depth of 8 tags. As part of this,
> switch over __vlan_get_protocol() to use skb_header_pointer() instead of
> pskb_may_pull(), to avoid the possible side effects of the latter and keep
> the skb pointer 'const' through all the parsing functions.
>
> v2:
> - Use limit of 8 tags instead of 32 (matching XMIT_RECURSION_LIMIT)
>
> Reported-by: Toshiaki Makita <toshiaki.makita1@...il.com>
> Reported-by: Daniel Borkmann <daniel@...earbox.net>
> Fixes: d7bf2ebebc2b ("sched: consistently handle layer3 header accesses in the presence of VLANs")
> Signed-off-by: Toke Høiland-Jørgensen <toke@...hat.com>
Applied, thank you.
Powered by blists - more mailing lists