diff mbox series

ipv6: Prevent overrun when parsing v6 header options

Message ID 1555040048-31294-1-git-send-email-92siuyang@gmail.com
State Changes Requested
Delegated to: David Miller
Headers show
Series ipv6: Prevent overrun when parsing v6 header options | expand

Commit Message

Young Xiao April 12, 2019, 3:34 a.m. UTC 
From: Young Xiao <YangX92@hotmail.com>

The fragmentation code tries to parse the header options in order
to figure out where to insert the fragment option.  Since nexthdr points
to an invalid option, the calculation of the size of the network header
can made to be much larger than the linear section of the skb and data
is read outside of it.

This vulnerability is similar to CVE-2017-9074.

Signed-off-by: Young Xiao <YangX92@hotmail.com>
---
 net/ipv6/mip6.c | 26 ++++++++++++++++----------
 1 file changed, 16 insertions(+), 10 deletions(-)

Comments

David Miller April 17, 2019, 3:45 a.m. UTC | #1 
From: Young Xiao <92siuyang@gmail.com>
Date: Fri, 12 Apr 2019 11:34:08 +0800

> -		exthdr = (struct ipv6_opt_hdr *)(nh + offset);
> +
>  	}

Please just completely delete this line, and do not add an empty line before
the closing braces.

Thank you very much.
diff mbox series

Patch

diff --git a/net/ipv6/mip6.c b/net/ipv6/mip6.c
index 64f0f7b..1b3a6e4 100644
--- a/net/ipv6/mip6.c
+++ b/net/ipv6/mip6.c
@@ -263,8 +263,6 @@  static int mip6_destopt_offset(struct xfrm_state *x, struct sk_buff *skb,
 			       u8 **nexthdr)
 {
 	u16 offset = sizeof(struct ipv6hdr);
-	struct ipv6_opt_hdr *exthdr =
-				   (struct ipv6_opt_hdr *)(ipv6_hdr(skb) + 1);
 	const unsigned char *nh = skb_network_header(skb);
 	unsigned int packet_len = skb_tail_pointer(skb) -
 		skb_network_header(skb);
@@ -272,7 +270,8 @@  static int mip6_destopt_offset(struct xfrm_state *x, struct sk_buff *skb,
 
 	*nexthdr = &ipv6_hdr(skb)->nexthdr;
 
-	while (offset + 1 <= packet_len) {
+	while (offset <= packet_len) {
+		struct ipv6_opt_hdr *exthdr;
 
 		switch (**nexthdr) {
 		case NEXTHDR_HOP:
@@ -299,12 +298,16 @@  static int mip6_destopt_offset(struct xfrm_state *x, struct sk_buff *skb,
 			return offset;
 		}
 
+		if (offset + sizeof(struct ipv6_opt_hdr) > packet_len)
+			return -EINVAL;
+
+		exthdr = (struct ipv6_opt_hdr *)(nh + offset);
 		offset += ipv6_optlen(exthdr);
 		*nexthdr = &exthdr->nexthdr;
-		exthdr = (struct ipv6_opt_hdr *)(nh + offset);
+
 	}
 
-	return offset;
+	return -EINVAL;
 }
 
 static int mip6_destopt_init_state(struct xfrm_state *x)
@@ -399,8 +402,6 @@  static int mip6_rthdr_offset(struct xfrm_state *x, struct sk_buff *skb,
 			     u8 **nexthdr)
 {
 	u16 offset = sizeof(struct ipv6hdr);
-	struct ipv6_opt_hdr *exthdr =
-				   (struct ipv6_opt_hdr *)(ipv6_hdr(skb) + 1);
 	const unsigned char *nh = skb_network_header(skb);
 	unsigned int packet_len = skb_tail_pointer(skb) -
 		skb_network_header(skb);
@@ -408,7 +409,8 @@  static int mip6_rthdr_offset(struct xfrm_state *x, struct sk_buff *skb,
 
 	*nexthdr = &ipv6_hdr(skb)->nexthdr;
 
-	while (offset + 1 <= packet_len) {
+	while (offset <= packet_len) {
+		struct ipv6_opt_hdr *exthdr;
 
 		switch (**nexthdr) {
 		case NEXTHDR_HOP:
@@ -434,12 +436,16 @@  static int mip6_rthdr_offset(struct xfrm_state *x, struct sk_buff *skb,
 			return offset;
 		}
 
+		if (offset + sizeof(struct ipv6_opt_hdr) > packet_len)
+			return -EINVAL;
+
+		exthdr = (struct ipv6_opt_hdr *)(nh + offset);
+
 		offset += ipv6_optlen(exthdr);
 		*nexthdr = &exthdr->nexthdr;
-		exthdr = (struct ipv6_opt_hdr *)(nh + offset);
 	}
 
-	return offset;
+	return -EINVAL;
 }
 
 static int mip6_rthdr_init_state(struct xfrm_state *x)