From patchwork Fri Apr 21 03:58:44 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jamie Bainbridge X-Patchwork-Id: 753105 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3w8MTG3tTGz9s03 for ; Fri, 21 Apr 2017 14:00:18 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1035026AbdDUD7l (ORCPT ); Thu, 20 Apr 2017 23:59:41 -0400 Received: from mx1.redhat.com ([209.132.183.28]:51930 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1035016AbdDUD7D (ORCPT ); Thu, 20 Apr 2017 23:59:03 -0400 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 1841A3DBE1; Fri, 21 Apr 2017 03:59:03 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 1841A3DBE1 Authentication-Results: ext-mx06.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx06.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=jbainbri@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 1841A3DBE1 Received: from jbainbri-laptop.usersys.redhat.com (dhcp-0-225.bne.redhat.com [10.64.0.225]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 730C618B56; Fri, 21 Apr 2017 03:59:01 +0000 (UTC) From: Jamie Bainbridge To: "David S. Miller" , Alexey Kuznetsov , James Morris , Hideaki YOSHIFUJI , Patrick McHardy , netdev@vger.kernel.org Cc: Jamie Bainbridge Subject: [PATCH 2/2] ipv6: don't deliver packets with zero length to raw sockets Date: Fri, 21 Apr 2017 13:58:44 +1000 Message-Id: <1492747124-31821-2-git-send-email-jbainbri@redhat.com> In-Reply-To: <1492747124-31821-1-git-send-email-jbainbri@redhat.com> References: <1492747124-31821-1-git-send-email-jbainbri@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.30]); Fri, 21 Apr 2017 03:59:03 +0000 (UTC) Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org IPv6 assumes there is data after the network header and blindly delivers skbs to raw sockets without checking the presence of data. With an application in a common loop where it checks select/poll/epoll then ioctl(SIOCINQ/FIONREAD) is positive before continuing to recvfrom(), this behaviour can cause the application to loop forever on ioctl() because there is a zero-length skb to receive. With this, it is very easy to make a Denial of Service attack by crafting a packet which declares a Next Header in the IPv6 header but does not actually supply a transport header and/or payload. skb->len is already correctly set in ip6_input_finish() with pskb_pull() so check this length before delivering zero data to raw sockets. Signed-off-by: Jamie Bainbridge --- net/ipv6/raw.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c index 0da6a12b5472e322d679572c7244e5c9bc467741..29dfdcefe1cc5f4c082ed919026e49e70320605e 100644 --- a/net/ipv6/raw.c +++ b/net/ipv6/raw.c @@ -174,7 +174,7 @@ static bool ipv6_raw_deliver(struct sk_buff *skb, int nexthdr) read_lock(&raw_v6_hashinfo.lock); sk = sk_head(&raw_v6_hashinfo.ht[hash]); - if (!sk) + if (!sk || !(skb->len)) goto out; net = dev_net(skb->dev);