| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20200815084431.16813-1-linmiaohe@huawei.com>
Date: Sat, 15 Aug 2020 04:44:31 -0400
From: Miaohe Lin <linmiaohe@...wei.com>
To: <davem@...emloft.net>, <kuba@...nel.org>, <pshelar@....org>,
<fw@...len.de>, <martin.varghese@...ia.com>, <edumazet@...gle.com>,
<dcaratti@...hat.com>, <steffen.klassert@...unet.com>,
<pabeni@...hat.com>, <shmulik@...anetworks.com>,
<kyk.segfault@...il.com>, <jiri@...lanox.com>,
<vyasevic@...hat.com>
CC: <netdev@...r.kernel.org>, <linux-kernel@...r.kernel.org>,
<linmiaohe@...wei.com>
Subject: [PATCH] net: Fix potential wrong skb->protocol in skb_vlan_untag()
We may access the two bytes after vlan_hdr in vlan_set_encap_proto(). So
we should pull VLAN_HLEN + sizeof(unsigned short) in skb_vlan_untag() or
we may access the wrong data.
Fixes: 0d5501c1c828 ("net: Always untag vlan-tagged traffic on input.")
Signed-off-by: Miaohe Lin <linmiaohe@...wei.com>
---
net/core/skbuff.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 7e2e502ef519..5c3b906aeef3 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -5418,8 +5418,8 @@ struct sk_buff *skb_vlan_untag(struct sk_buff *skb)
skb = skb_share_check(skb, GFP_ATOMIC);
if (unlikely(!skb))
goto err_free;
-
- if (unlikely(!pskb_may_pull(skb, VLAN_HLEN)))
+ /* We may access the two bytes after vlan_hdr in vlan_set_encap_proto(). */
+ if (unlikely(!pskb_may_pull(skb, VLAN_HLEN + sizeof(unsigned short))))
goto err_free;
vhdr = (struct vlan_hdr *)skb->data;
--
2.19.1
Powered by blists - more mailing lists