From patchwork Thu Jan 17 03:56:52 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hannes Frederic Sowa X-Patchwork-Id: 213137 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 400082C007E for ; Thu, 17 Jan 2013 14:56:57 +1100 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1758539Ab3AQD4y (ORCPT ); Wed, 16 Jan 2013 22:56:54 -0500 Received: from order.stressinduktion.org ([87.106.68.36]:32968 "EHLO order.stressinduktion.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1758341Ab3AQD4x (ORCPT ); Wed, 16 Jan 2013 22:56:53 -0500 Received: by order.stressinduktion.org (Postfix, from userid 500) id 833A61A0C8F3; Thu, 17 Jan 2013 04:56:52 +0100 (CET) Date: Thu, 17 Jan 2013 04:56:52 +0100 From: Hannes Frederic Sowa To: netdev@vger.kernel.org Subject: [PATCH] ipv6: check if dereference of ipv6 header is safe Message-ID: <20130117035652.GB23782@order.stressinduktion.org> Mail-Followup-To: netdev@vger.kernel.org Mime-Version: 1.0 Content-Disposition: inline Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org When ipip6_rcv gets called we are sure that we have a full blown ipv4 packet header in the linear skb buffer (this is checked by xfrm4_mode_tunnel_input). Because we dereference fields of the inner ipv6 header we should actually check for the length of the sum of the ipv4 and ipv6 header. If the skb is too short this packet could very well be destined for another tunnel. So we should notify the caller accordingly (albeit currently xfrm4_mode_tunnel_input does not care; this could need another patch). Signed-off-by: Hannes Frederic Sowa --- net/ipv6/sit.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c index 2b4c15a..389d6e3 100644 --- a/net/ipv6/sit.c +++ b/net/ipv6/sit.c @@ -612,8 +612,8 @@ static int ipip6_rcv(struct sk_buff *skb) struct ip_tunnel *tunnel; int err; - if (!pskb_may_pull(skb, sizeof(struct ipv6hdr))) - goto out; + if (!pskb_may_pull(skb, sizeof(struct iphdr) + sizeof(struct ipv6hdr))) + return 1; iph = ip_hdr(skb);