[SRU,Trusty,Zesty,v2,2/2] ipv6: accept 64k - 1 packet length in ip6_find_1stfragopt()

Message ID 20171130164802.29160-3-kleber.souza@canonical.com
State New
Headers show
Series
  • Untitled series #16006
Related show

Commit Message

Kleber Souza Nov. 30, 2017, 4:48 p.m.
From: Stefano Brivio <sbrivio@redhat.com>

A packet length of exactly IPV6_MAXPLEN is allowed, we should
refuse parsing options only if the size is 64KiB or more.

While at it, remove one extra variable and one assignment which
were also introduced by the commit that introduced the size
check. Checking the sum 'offset + len' and only later adding
'len' to 'offset' doesn't provide any advantage over directly
summing to 'offset' and checking it.

Fixes: 6399f1fae4ec ("ipv6: avoid overflow of offset in ip6_find_1stfragopt")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

CVE-2017-7542
(cherry picked from commit 3de33e1ba0506723ab25734e098cf280ecc34756)
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
---
 net/ipv6/output_core.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

Patch

diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c
index cb80a45cd2d6..1b03fe190d97 100644
--- a/net/ipv6/output_core.c
+++ b/net/ipv6/output_core.c
@@ -51,7 +51,6 @@  int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
 
 	while (offset <= packet_len) {
 		struct ipv6_opt_hdr *exthdr;
-		unsigned int len;
 
 		switch (**nexthdr) {
 
@@ -77,10 +76,9 @@  int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
 
 		exthdr = (struct ipv6_opt_hdr *)(skb_network_header(skb) +
 						 offset);
-		len = ipv6_optlen(exthdr);
-		if (len + offset >= IPV6_MAXPLEN)
+		offset += ipv6_optlen(exthdr);
+		if (offset > IPV6_MAXPLEN)
 			return -EINVAL;
-		offset += len;
 		*nexthdr = &exthdr->nexthdr;
 	}