From patchwork Thu Mar 12 23:22:59 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Eric W. Biederman" X-Patchwork-Id: 449698 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id E26F61400D5 for ; Fri, 13 Mar 2015 10:26:50 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755433AbbCLX0o (ORCPT ); Thu, 12 Mar 2015 19:26:44 -0400 Received: from out01.mta.xmission.com ([166.70.13.231]:39448 "EHLO out01.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752470AbbCLX0l (ORCPT ); Thu, 12 Mar 2015 19:26:41 -0400 Received: from in01.mta.xmission.com ([166.70.13.51]) by out01.mta.xmission.com with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.76) (envelope-from ) id 1YWCUy-00030a-3b; Thu, 12 Mar 2015 17:26:40 -0600 Received: from 70-59-163-10.omah.qwest.net ([70.59.163.10] helo=x220.int.ebiederm.org.xmission.com) by in01.mta.xmission.com with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1YWCUx-00033C-Iy; Thu, 12 Mar 2015 17:26:39 -0600 From: ebiederm@xmission.com (Eric W. Biederman) To: David Miller Cc: rshearma@brocade.com, netdev@vger.kernel.org References: <5500BB5E.4070909@brocade.com> <87385a13jz.fsf@x220.int.ebiederm.org> <87wq2mym03.fsf_-_@x220.int.ebiederm.org> <20150312.182558.447886504045770209.davem@davemloft.net> <87h9tpzv76.fsf@x220.int.ebiederm.org> Date: Thu, 12 Mar 2015 18:22:59 -0500 In-Reply-To: <87h9tpzv76.fsf@x220.int.ebiederm.org> (Eric W. Biederman's message of "Thu, 12 Mar 2015 17:50:53 -0500") Message-ID: <87a8zhztpo.fsf@x220.int.ebiederm.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux) MIME-Version: 1.0 X-XM-AID: U2FsdGVkX1/IQaei2lXHaB+eaVfUU6HqcPnRBKhHuAE= X-SA-Exim-Connect-IP: 70.59.163.10 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on sa04.xmission.com X-Spam-Level: X-Spam-Status: No, score=0.5 required=8.0 tests=ALL_TRUSTED,BAYES_50, DCC_CHECK_NEGATIVE, TVD_RCVD_IP, T_TooManySym_01, T_TooManySym_02, XMSubLong autolearn=disabled version=3.4.0 X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 0.7 XMSubLong Long Subject * 0.0 TVD_RCVD_IP Message was received from an IP address * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.5000] * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa04 1397; Body=1 Fuz1=1 Fuz2=1] * 0.0 T_TooManySym_02 5+ unique symbols in subject * 0.0 T_TooManySym_01 4+ unique symbols in subject X-Spam-DCC: XMission; sa04 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: ;David Miller X-Spam-Relay-Country: X-Spam-Timing: total 164 ms - load_scoreonly_sql: 0.03 (0.0%), signal_user_changed: 2.7 (1.7%), b_tie_ro: 1.98 (1.2%), parse: 0.60 (0.4%), extract_message_metadata: 12 (7.4%), get_uri_detail_list: 1.02 (0.6%), tests_pri_-1000: 7 (4.0%), tests_pri_-950: 1.10 (0.7%), tests_pri_-900: 0.86 (0.5%), tests_pri_-400: 16 (9.8%), check_bayes: 15 (9.3%), b_tokenize: 4.2 (2.5%), b_tok_get_all: 5 (3.2%), b_comp_prob: 1.48 (0.9%), b_tok_touch_all: 2.6 (1.6%), b_finish: 0.56 (0.3%), tests_pri_0: 118 (71.8%), tests_pri_500: 3.9 (2.4%), rewrite_mail: 0.00 (0.0%) Subject: [PATCH net-next ] mpls: In mpls_egress verify the packet length. X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Wed, 24 Sep 2014 11:00:52 -0600) X-SA-Exim-Scanned: Yes (on in01.mta.xmission.com) Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Reobert Shearman noticed that mpls_egress is failing to verify that the bytes to be examined are in fact present in the packet before mpls_egress reads those bytes. As suggested by David Miller reduce this to a single pskb_may_pull call so that we don't do unnecessary work in the fast path. Reported-by: Robert Shearman Signed-off-by: "Eric W. Biederman" --- net/mpls/af_mpls.c | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/net/mpls/af_mpls.c b/net/mpls/af_mpls.c index 0ad8f7141be2..db8a2ea6d4de 100644 --- a/net/mpls/af_mpls.c +++ b/net/mpls/af_mpls.c @@ -92,9 +92,24 @@ static bool mpls_egress(struct mpls_route *rt, struct sk_buff *skb, * The strange cases if we choose to support them will require * manual configuration. */ - struct iphdr *hdr4 = ip_hdr(skb); + struct iphdr *hdr4; bool success = true; + /* The IPv4 code below accesses through the IPv4 header + * checksum, which is 12 bytes into the packet. + * The IPv6 code below accesses through the IPv6 hop limit + * which is 8 bytes into the packet. + * + * For all supported cases there should always be at least 12 + * bytes of packet data present. The IPv4 header is 20 bytes + * without options and the IPv6 header is always 40 bytes + * long. + */ + if (!pskb_may_pull(skb, 12)) + return false; + + /* Use ip_hdr to find the ip protocol version */ + hdr4 = ip_hdr(skb); if (hdr4->version == 4) { skb->protocol = htons(ETH_P_IP); csum_replace2(&hdr4->check,