From patchwork Thu Nov 30 16:48:02 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kleber Sacilotto de Souza X-Patchwork-Id: 843101 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 3ynjyc3nPkz9sMN; Fri, 1 Dec 2017 03:48:24 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1eKS0Q-0007B8-Hh; Thu, 30 Nov 2017 16:48:10 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.86_2) (envelope-from ) id 1eKS0P-0007AB-8m for kernel-team@lists.ubuntu.com; Thu, 30 Nov 2017 16:48:09 +0000 Received: from mail-wr0-f197.google.com ([209.85.128.197]) by youngberry.canonical.com with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1eKS0P-0004Fs-1e for kernel-team@lists.ubuntu.com; Thu, 30 Nov 2017 16:48:09 +0000 Received: by mail-wr0-f197.google.com with SMTP id c9so3522408wrb.4 for ; Thu, 30 Nov 2017 08:48:09 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=LGjPuEPjD7nqaMlg1/r6jxQET4dB1ZicZLY3DTqUc5o=; b=B7H3DqySBstB7u06xe9V9qqEIaNFAX9o2H4OJkZoJ3I2DYU+ehKCRhrq2QpB5XTN9Y VMty1W44bcSFbbEga3tsg0OF+XYU8nf8L5o2Op04kwzT1HQJRmNhFydErtGKQZcM0EBx asf0NrMu85r3DU1gM/tImaayPKlaG+sGr37N7B1Apx01D7xPCKsvCY76xWV/5Xv0+VQ3 r1rEeak2kVyfYLwlNo9YnigOt3DklhpIzv4WRZHDGxtr/bW8MWnJHqDy3uvTZ+7P14oh ZqUGnpDOMozI7SIvvJPgXI1Y8S+PpAoHXYb1lt6G4rv6uVfT1v+SN0EurKw9gX9+PBVO x32w== X-Gm-Message-State: AJaThX4bKLfujY4aDkdYPBgKnf4htbtOeW9W1//ZmO6LkDw6/ZoSSVXX ALzP+2ouMxIPXLesGILRv4PUWTRyHB9coWPMoDeePd4wduHpsTh9Ii36qELz4vw2HJVgb6QqHO2 y0t/Vo7bUfjnMaiRGIZAOqn11jFTRvpaum5sGJJ4JRQ== X-Received: by 10.80.168.194 with SMTP id k60mr13803204edc.109.1512060488376; Thu, 30 Nov 2017 08:48:08 -0800 (PST) X-Google-Smtp-Source: AGs4zMaSgkfMEBO4y9Gwj1R3gxQi8gwhojiVisAjr+Kz6GerTsSh/JFxOJ3whYdivsTqR4tVUZWCbA== X-Received: by 10.80.168.194 with SMTP id k60mr13803188edc.109.1512060488192; Thu, 30 Nov 2017 08:48:08 -0800 (PST) Received: from localhost ([2a02:8109:98c0:1604:d93c:6a88:7e3b:ea29]) by smtp.gmail.com with ESMTPSA id h56sm4335375ede.15.2017.11.30.08.48.06 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Thu, 30 Nov 2017 08:48:07 -0800 (PST) From: Kleber Sacilotto de Souza To: kernel-team@lists.ubuntu.com Subject: [SRU][Trusty][Zesty][PATCH v2 2/2] ipv6: accept 64k - 1 packet length in ip6_find_1stfragopt() Date: Thu, 30 Nov 2017 17:48:02 +0100 Message-Id: <20171130164802.29160-3-kleber.souza@canonical.com> X-Mailer: git-send-email 2.14.1 In-Reply-To: <20171130164802.29160-1-kleber.souza@canonical.com> References: <20171130164802.29160-1-kleber.souza@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Stefano Brivio A packet length of exactly IPV6_MAXPLEN is allowed, we should refuse parsing options only if the size is 64KiB or more. While at it, remove one extra variable and one assignment which were also introduced by the commit that introduced the size check. Checking the sum 'offset + len' and only later adding 'len' to 'offset' doesn't provide any advantage over directly summing to 'offset' and checking it. Fixes: 6399f1fae4ec ("ipv6: avoid overflow of offset in ip6_find_1stfragopt") Signed-off-by: Stefano Brivio Signed-off-by: David S. Miller CVE-2017-7542 (cherry picked from commit 3de33e1ba0506723ab25734e098cf280ecc34756) Signed-off-by: Kleber Sacilotto de Souza --- net/ipv6/output_core.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c index cb80a45cd2d6..1b03fe190d97 100644 --- a/net/ipv6/output_core.c +++ b/net/ipv6/output_core.c @@ -51,7 +51,6 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr) while (offset <= packet_len) { struct ipv6_opt_hdr *exthdr; - unsigned int len; switch (**nexthdr) { @@ -77,10 +76,9 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr) exthdr = (struct ipv6_opt_hdr *)(skb_network_header(skb) + offset); - len = ipv6_optlen(exthdr); - if (len + offset >= IPV6_MAXPLEN) + offset += ipv6_optlen(exthdr); + if (offset > IPV6_MAXPLEN) return -EINVAL; - offset += len; *nexthdr = &exthdr->nexthdr; }