Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 374d1b5a authored by Steffen Klassert's avatar Steffen Klassert
Browse files

esp: Fix GRO when the headers not fully in the linear part of the skb. 



The GRO layer does not necessarily pull the complete headers
into the linear part of the skb, a part may remain on the
first page fragment. This can lead to a crash if we try to
pull the headers, so make sure we have them on the linear
part before pulling.

Fixes: 7785bba2 ("esp: Add a software GRO codepath")
Reported-by: default avatar <syzbot+82bbd65569c49c6c0c4d@syzkaller.appspotmail.com>
Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
parent b1bdcb59

net/ipv4/esp4_offload.c

+2 −1
Original line number Diff line number Diff line
@@ -38,7 +38,8 @@ static struct sk_buff **esp4_gro_receive(struct sk_buff **head, 
	__be32 spi;

	int err;



	skb_pull(skb, offset);

	if (!pskb_pull(skb, offset))

		return NULL;



	if ((err = xfrm_parse_spi(skb, IPPROTO_ESP, &spi, &seq)) != 0)

		goto out;

net/ipv6/esp6_offload.c

+2 −1
Original line number Diff line number Diff line
@@ -60,7 +60,8 @@ static struct sk_buff **esp6_gro_receive(struct sk_buff **head, 
	int nhoff;

	int err;



	skb_pull(skb, offset);

	if (!pskb_pull(skb, offset))

		return NULL;



	if ((err = xfrm_parse_spi(skb, IPPROTO_ESP, &spi, &seq)) != 0)

		goto out;