[net,v2,0/2] Fix slab out-of-bounds on insufficient headroom for IPv6 packets

Message ID	cover.1544119954.git.sbrivio@redhat.com
Headers	show Return-Path: <netdev-owner@vger.kernel.org> From: Stefano Brivio <sbrivio@redhat.com> To: "David S. Miller" <davem@davemloft.net> Cc: Jianlin Shi <jishi@redhat.com>, Hangbin Liu <liuhangbin@gmail.com>, Eric Dumazet <edumazet@google.com>, Stephen Hemminger <stephen@networkplumber.org>, netdev@vger.kernel.org Subject: [PATCH net v2 0/2] Fix slab out-of-bounds on insufficient headroom for IPv6 packets Date: Thu, 6 Dec 2018 19:30:35 +0100 Message-Id: <cover.1544119954.git.sbrivio@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: netdev-owner@vger.kernel.org Precedence: bulk
Series	Fix slab out-of-bounds on insufficient headroom for IPv6 packets \| expand [net,v2,0/2] Fix slab out-of-bounds on insufficient headroom for IPv6 packets [net,v2,1/2] ipv6: Check available headroom in ip6_xmit() even without options [net,v2,2/2] neighbour: Avoid writing before skb->head in neigh_hh_output()

Message ID

cover.1544119954.git.sbrivio@redhat.com

Headers

From: Stefano Brivio <sbrivio@redhat.com>
To: "David S. Miller" <davem@davemloft.net>
Cc: Jianlin Shi <jishi@redhat.com>, Hangbin Liu <liuhangbin@gmail.com>,
	Eric Dumazet <edumazet@google.com>,
	Stephen Hemminger <stephen@networkplumber.org>, netdev@vger.kernel.org
Subject: [PATCH net v2 0/2] Fix slab out-of-bounds on insufficient headroom
	for IPv6 packets
Date: Thu,  6 Dec 2018 19:30:35 +0100
Message-Id: <cover.1544119954.git.sbrivio@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: netdev-owner@vger.kernel.org
Precedence: bulk

Series

Fix slab out-of-bounds on insufficient headroom for IPv6 packets | expand

Message

Stefano Brivio Dec. 6, 2018, 6:30 p.m. UTC

Patch 1/2 fixes a slab out-of-bounds occurring with short SCTP packets over
IPv4 over L2TP over IPv6 on a configuration with relatively low HEADER_MAX.

Patch 2/2 makes sure we avoid writing before the allocated buffer in
neigh_hh_output() in case the headroom is enough for the unaligned hardware
header size, but not enough for the aligned one, and that we warn if we hit
this condition.

Stefano Brivio (2):
  ipv6: Check available headroom in ip6_xmit() even without options
  neighbour: Avoid writing before skb->head in neigh_hh_output()

 include/net/neighbour.h | 28 ++++++++++++++++++++++-----
 net/ipv6/ip6_output.c   | 42 ++++++++++++++++++++---------------------
 2 files changed, 44 insertions(+), 26 deletions(-)

Comments

David Miller Dec. 8, 2018, 12:37 a.m. UTC | #1

From: Stefano Brivio <sbrivio@redhat.com>
Date: Thu,  6 Dec 2018 19:30:35 +0100

> Patch 1/2 fixes a slab out-of-bounds occurring with short SCTP packets over
> IPv4 over L2TP over IPv6 on a configuration with relatively low HEADER_MAX.
> 
> Patch 2/2 makes sure we avoid writing before the allocated buffer in
> neigh_hh_output() in case the headroom is enough for the unaligned hardware
> header size, but not enough for the aligned one, and that we warn if we hit
> this condition.

Series applied and queued up for -stable, thanks.