diff mbox series

[SRU,Trusty,Zesty,v2,1/2] ipv6: avoid overflow of offset in ip6_find_1stfragopt

Message ID 20171130164802.29160-2-kleber.souza@canonical.com
State New
Headers show
Series [SRU,Trusty,Zesty,v2,1/2] ipv6: avoid overflow of offset in ip6_find_1stfragopt | expand

Commit Message

Kleber Sacilotto de Souza Nov. 30, 2017, 4:48 p.m. UTC 
From: Sabrina Dubroca <sd@queasysnail.net>

In some cases, offset can overflow and can cause an infinite loop in
ip6_find_1stfragopt(). Make it unsigned int to prevent the overflow, and
cap it at IPV6_MAXPLEN, since packets larger than that should be invalid.

This problem has been here since before the beginning of git history.

Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

CVE-2017-7542
(cherry picked from commit 6399f1fae4ec29fab5ec76070435555e256ca3a6)
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
---
 net/ipv6/output_core.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

Comments

Thadeu Lima de Souza Cascardo Dec. 12, 2017, 4:40 p.m. UTC | #1 
Applied to trusty and zesty master-next branches.

Thanks.
Cascardo.

Applied-to: trusty/master-next
Applied-to: zesty/master-next
diff mbox series

Patch

diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c
index 3764254f4523..cb80a45cd2d6 100644
--- a/net/ipv6/output_core.c
+++ b/net/ipv6/output_core.c
@@ -43,7 +43,7 @@  EXPORT_SYMBOL_GPL(ipv6_proxy_select_ident);
 
 int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
 {
-	u16 offset = sizeof(struct ipv6hdr);
+	unsigned int offset = sizeof(struct ipv6hdr);
 	unsigned int packet_len = skb_tail_pointer(skb) -
 		skb_network_header(skb);
 	int found_rhdr = 0;
@@ -51,6 +51,7 @@  int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
 
 	while (offset <= packet_len) {
 		struct ipv6_opt_hdr *exthdr;
+		unsigned int len;
 
 		switch (**nexthdr) {
 
@@ -76,7 +77,10 @@  int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
 
 		exthdr = (struct ipv6_opt_hdr *)(skb_network_header(skb) +
 						 offset);
-		offset += ipv6_optlen(exthdr);
+		len = ipv6_optlen(exthdr);
+		if (len + offset >= IPV6_MAXPLEN)
+			return -EINVAL;
+		offset += len;
 		*nexthdr = &exthdr->nexthdr;
 	}