Message ID | 20210126111847.3142636-2-philmd@redhat.com |
---|---|
State | New |
Headers | show |
Series | net/eth: Fix stack-buffer-overflow in _eth_get_rss_ex_dst_addr() | expand |
On Tue, Jan 26, 2021 at 12:18:46PM +0100, Philippe Mathieu-Daudé wrote: >The length field is already contained in the ip6_ext_hdr structure. >Check it direcly in eth_parse_ipv6_hdr() before calling >_eth_get_rss_ex_dst_addr(), which gets a bit simplified. > >Reviewed-by: Miroslav Rezanina <mrezanin@redhat.com> >Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> >--- > net/eth.c | 14 +++++++------- > 1 file changed, 7 insertions(+), 7 deletions(-) Reviewed-by: Stefano Garzarella <sgarzare@redhat.com> > >diff --git a/net/eth.c b/net/eth.c >index 1e0821c5f81..7d4dd48c1ff 100644 >--- a/net/eth.c >+++ b/net/eth.c >@@ -407,9 +407,7 @@ _eth_get_rss_ex_dst_addr(const struct iovec *pkt, int pkt_frags, > { > struct ip6_ext_hdr_routing *rthdr = (struct ip6_ext_hdr_routing *) ext_hdr; > >- if ((rthdr->rtype == 2) && >- (rthdr->len == sizeof(struct in6_address) / 8) && >- (rthdr->segleft == 1)) { >+ if ((rthdr->rtype == 2) && (rthdr->segleft == 1)) { > > size_t input_size = iov_size(pkt, pkt_frags); > size_t bytes_read; >@@ -528,10 +526,12 @@ bool eth_parse_ipv6_hdr(const struct iovec *pkt, int pkt_frags, > } > > if (curr_ext_hdr_type == IP6_ROUTING) { >- info->rss_ex_dst_valid = >- _eth_get_rss_ex_dst_addr(pkt, pkt_frags, >- ip6hdr_off + info->full_hdr_len, >- &ext_hdr, &info->rss_ex_dst); >+ if (ext_hdr.ip6r_len == sizeof(struct in6_address) / 8) { >+ info->rss_ex_dst_valid = >+ _eth_get_rss_ex_dst_addr(pkt, pkt_frags, >+ ip6hdr_off + info->full_hdr_len, >+ &ext_hdr, &info->rss_ex_dst); >+ } > } else if (curr_ext_hdr_type == IP6_DESTINATON) { > info->rss_ex_src_valid = > _eth_get_rss_ex_src_addr(pkt, pkt_frags, >-- >2.26.2 > >
diff --git a/net/eth.c b/net/eth.c index 1e0821c5f81..7d4dd48c1ff 100644 --- a/net/eth.c +++ b/net/eth.c @@ -407,9 +407,7 @@ _eth_get_rss_ex_dst_addr(const struct iovec *pkt, int pkt_frags, { struct ip6_ext_hdr_routing *rthdr = (struct ip6_ext_hdr_routing *) ext_hdr; - if ((rthdr->rtype == 2) && - (rthdr->len == sizeof(struct in6_address) / 8) && - (rthdr->segleft == 1)) { + if ((rthdr->rtype == 2) && (rthdr->segleft == 1)) { size_t input_size = iov_size(pkt, pkt_frags); size_t bytes_read; @@ -528,10 +526,12 @@ bool eth_parse_ipv6_hdr(const struct iovec *pkt, int pkt_frags, } if (curr_ext_hdr_type == IP6_ROUTING) { - info->rss_ex_dst_valid = - _eth_get_rss_ex_dst_addr(pkt, pkt_frags, - ip6hdr_off + info->full_hdr_len, - &ext_hdr, &info->rss_ex_dst); + if (ext_hdr.ip6r_len == sizeof(struct in6_address) / 8) { + info->rss_ex_dst_valid = + _eth_get_rss_ex_dst_addr(pkt, pkt_frags, + ip6hdr_off + info->full_hdr_len, + &ext_hdr, &info->rss_ex_dst); + } } else if (curr_ext_hdr_type == IP6_DESTINATON) { info->rss_ex_src_valid = _eth_get_rss_ex_src_addr(pkt, pkt_frags,