From patchwork Fri Feb  3 08:03:26 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Eric Dumazet <eric.dumazet@gmail.com>
X-Patchwork-Id: 723457
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 3vF8WS21ZGz9s7D
	for <patchwork-incoming@ozlabs.org>;
	Fri,  3 Feb 2017 19:03:32 +1100 (AEDT)
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="oCD7ERxG"; dkim-atps=neutral
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752773AbdBCIDa (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Fri, 3 Feb 2017 03:03:30 -0500
Received: from mail-pf0-f196.google.com ([209.85.192.196]:33218 "EHLO
	mail-pf0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752449AbdBCID3 (ORCPT
	<rfc822;netdev@vger.kernel.org>); Fri, 3 Feb 2017 03:03:29 -0500
Received: by mail-pf0-f196.google.com with SMTP id e4so1075942pfg.0
	for <netdev@vger.kernel.org>; Fri, 03 Feb 2017 00:03:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=message-id:subject:from:to:cc:date:mime-version
	:content-transfer-encoding;
	bh=DE1/6BT1IkFGOS3Rn84O6iNzOjxPUu9ZMhl4G4neiPU=;
	b=oCD7ERxGIltkX2yBYwfPD2bZSU3G3QLcVsOvIfCbbGVdcpFvoeSWvc80rLPUZSVHPo
	TR4zPxl1RsiOOXkY+O0w7S0wInTCZ8ktHP7h2kLq1f5VZIhYSU2WIJtggpM9C93URQHc
	+SRwDeGIDSmHhPvl57VYyOC+h8W68wZ7WOcnaYtXrCdsj3aDI1ffLoeX/eenaccImPKC
	sxxE3ZMedimLAx/oSpPuQYN6Ubg3S4JKyGIuLmkgxK7eUzqpmTvtgVYYBw+SC8LgaZ28
	7rEgKi2VTJZ37gaEgWZvgymQK1E0ZELDiLZTgV7Ebil2Zke0Meubg6U55HFdIprvK78/
	O7Pg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:message-id:subject:from:to:cc:date:mime-version
	:content-transfer-encoding;
	bh=DE1/6BT1IkFGOS3Rn84O6iNzOjxPUu9ZMhl4G4neiPU=;
	b=GNrQHIJmabwYHa6MKXDQWfG5yAEuog1jGGqtkTd3x23jp8AhACG9KEv50T7lftG2ST
	oUQuptLllo8BtBYfKyyYnCS4s8iNVuJSqEhs+MuaDjXfj7sjl6yhCni4M/XQAlyMTa58
	76ovTUYCzwjh2NMLtMdwy46bYzFN/tryMKnFxxeFFLvP+s6ZlCq7y/udkK2SPpXbZ6RQ
	PZeB8v+iiOvP+v51JouLeNJhogh58/M+9qafpYto/MTPuT5mnerRmHkF87E4iQn9FWb2
	ny2bN9DbD4HLFVNF3s5i4t4F8Dj9qcFK7L6bC9WVdtPbDqmwBOBiMIZrmXB5wcbr0ehN
	6b6w==
X-Gm-Message-State: 
 AIkVDXIJuH5AURsQT3+jKfM96IA5AlOhELxzz45Yh+iw3m+Yg7JChPmxYPkwoWo9LAapFQ==
X-Received: by 10.98.35.207 with SMTP id q76mr16232659pfj.112.1486109008409;
	Fri, 03 Feb 2017 00:03:28 -0800 (PST)
Received: from [172.19.249.221] ([172.19.249.221])
	by smtp.googlemail.com with ESMTPSA id
	q64sm48560437pga.0.2017.02.03.00.03.26
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Fri, 03 Feb 2017 00:03:27 -0800 (PST)
Message-ID: <1486109006.21871.79.camel@edumazet-glaptop3.roam.corp.google.com>
Subject: [PATCH net] netlabel: out of bound access in cipso_v4_validate()
From: Eric Dumazet <eric.dumazet@gmail.com>
To: David Miller <davem@davemloft.net>
Cc: netdev <netdev@vger.kernel.org>, Paul Moore <paul@paul-moore.com>,
	Dmitry Vyukov <dvyukov@google.com>
Date: Fri, 03 Feb 2017 00:03:26 -0800
X-Mailer: Evolution 3.10.4-0ubuntu2 
Mime-Version: 1.0
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

From: Eric Dumazet <edumazet@google.com>

syzkaller found another out of bound access in ip_options_compile(),
or more exactly in cipso_v4_validate()

Fixes: 20e2a8648596 ("cipso: handle CIPSO options correctly when NetLabel is disabled")
Fixes: 446fda4f2682 ("[NetLabel]: CIPSOv4 engine")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov  <dvyukov@google.com>
Cc: Paul Moore <paul@paul-moore.com>
Acked-by: Paul Moore <paul@paul-moore.com>
---
 include/net/cipso_ipv4.h |    4 ++++
 net/ipv4/cipso_ipv4.c    |    4 ++++
 2 files changed, 8 insertions(+)

diff --git a/include/net/cipso_ipv4.h b/include/net/cipso_ipv4.h
index 3ebb168b9afc68ad639b5d32f6182a845c83d759..a34b141f125f0032662f147b598c9fef4fb4bcef 100644
--- a/include/net/cipso_ipv4.h
+++ b/include/net/cipso_ipv4.h
@@ -309,6 +309,10 @@ static inline int cipso_v4_validate(const struct sk_buff *skb,
 	}
 
 	for (opt_iter = 6; opt_iter < opt_len;) {
+		if (opt_iter + 1 == opt_len) {
+			err_offset = opt_iter;
+			goto out;
+		}
 		tag_len = opt[opt_iter + 1];
 		if ((tag_len == 0) || (tag_len > (opt_len - opt_iter))) {
 			err_offset = opt_iter + 1;
diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
index 72d6f056d863603c959e1d04b9f863909a37c758..ae206163c273381ba6e8bd8a24fa050619a4a6ae 100644
--- a/net/ipv4/cipso_ipv4.c
+++ b/net/ipv4/cipso_ipv4.c
@@ -1587,6 +1587,10 @@ int cipso_v4_validate(const struct sk_buff *skb, unsigned char **option)
 				goto validate_return_locked;
 			}
 
+		if (opt_iter + 1 == opt_len) {
+			err_offset = opt_iter;
+			goto validate_return_locked;
+		}
 		tag_len = tag[1];
 		if (tag_len > (opt_len - opt_iter)) {
 			err_offset = opt_iter + 1;