Message ID | 1446034864-14022-2-git-send-email-hannes@stressinduktion.org |
---|---|
State | Accepted, archived |
Delegated to: | David Miller |
Headers | show |
From: Hannes Frederic Sowa <hannes@stressinduktion.org> Date: Wed, 28 Oct 2015 13:21:04 +0100 > Raw sockets with hdrincl enabled can insert ipv6 extension headers > right into the data stream. In case we need to fragment those packets, > we reparse the options header to find the place where we can insert > the fragment header. If the extension headers exceed the link's MTU we > actually cannot make progress in such a case. > > Instead of ending up in broken arithmetic or rounding towards 0 and > entering an endless loop in ip6_fragment, just prevent those cases by > aborting early and signal -EMSGSIZE to user space. > > This is the second version of the patch which doesn't use the > overflow_usub function, which got reverted for now. > > Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> > Cc: Linus Torvalds <torvalds@linux-foundation.org> > Reported-by: Dmitry Vyukov <dvyukov@google.com> > Cc: Dmitry Vyukov <dvyukov@google.com> > Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Applied. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c index d03d6da..f84ec4e 100644 --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c @@ -584,6 +584,8 @@ int ip6_fragment(struct sock *sk, struct sk_buff *skb, if (np->frag_size) mtu = np->frag_size; } + if (mtu < hlen + sizeof(struct frag_hdr) + 8) + goto fail_toobig; mtu -= hlen + sizeof(struct frag_hdr); frag_id = ipv6_select_ident(net, &ipv6_hdr(skb)->daddr,
Raw sockets with hdrincl enabled can insert ipv6 extension headers right into the data stream. In case we need to fragment those packets, we reparse the options header to find the place where we can insert the fragment header. If the extension headers exceed the link's MTU we actually cannot make progress in such a case. Instead of ending up in broken arithmetic or rounding towards 0 and entering an endless loop in ip6_fragment, just prevent those cases by aborting early and signal -EMSGSIZE to user space. This is the second version of the patch which doesn't use the overflow_usub function, which got reverted for now. Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> Cc: Linus Torvalds <torvalds@linux-foundation.org> Reported-by: Dmitry Vyukov <dvyukov@google.com> Cc: Dmitry Vyukov <dvyukov@google.com> Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> --- net/ipv6/ip6_output.c | 2 ++ 1 file changed, 2 insertions(+)