[TCP]: Reset gso_segs if packet is dodgy (3820c3f3) · Commits · e / devices / android_kernel_fairphone_FP5

I wasn't paranoid enough in verifying GSO information. A bogus gso_segs could upset drivers as much as a bogus header would. Let's reset it in the per-protocol gso_segment functions. I didn't verify gso_size because that can be verified by the source of the dodgy packets. Signed-off-by:

Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by:

David S. Miller <davem@davemloft.net>

net/ipv4/tcp.c

+10 −4

Original line number	Diff line number	Diff line
		@@ -2166,13 +2166,19 @@ struct sk_buff tcp_tso_segment(struct sk_buff skb, int features)
		if (!pskb_may_pull(skb, thlen))
		goto out;

		segs = NULL;
		if (skb_gso_ok(skb, features \| NETIF_F_GSO_ROBUST))
		goto out;

		oldlen = (u16)~skb->len;
		__skb_pull(skb, thlen);

		if (skb_gso_ok(skb, features \| NETIF_F_GSO_ROBUST)) {
		/* Packet is from an untrusted source, reset gso_segs. */
		int mss = skb_shinfo(skb)->gso_size;

		skb_shinfo(skb)->gso_segs = (skb->len + mss - 1) / mss;

		segs = NULL;
		goto out;
		}

		segs = skb_segment(skb, features);
		if (IS_ERR(segs))
		goto out;