Commit bc6e019b authored Jan 03, 2019 by Stefano Brivio Committed by David S. Miller Jan 04, 2019

fou: Prevent unbounded recursion in GUE error handler also with UDP-Lite



In commit 11789039 ("fou: Prevent unbounded recursion in GUE error
handler"), I didn't take care of the case where UDP-Lite is encapsulated
into UDP or UDP-Lite with GUE. From a syzbot report about a possibly
similar issue with GUE on IPv6, I just realised the same thing might
happen with a UDP-Lite inner payload.

Also skip exception handling for inner UDP-Lite protocol.

Fixes: 11789039 ("fou: Prevent unbounded recursion in GUE error handler")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent 41e4e2cd

net/ipv4/fou.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -1065,7 +1065,8 @@ static int gue_err(struct sk_buff *skb, u32 info)
		* recursion. Besides, this kind of encapsulation can't even be
		* configured currently. Discard this.
		*/
		if (guehdr->proto_ctype == IPPROTO_UDP)
		if (guehdr->proto_ctype == IPPROTO_UDP \|\|
		guehdr->proto_ctype == IPPROTO_UDPLITE)
		return -EOPNOTSUPP;

		skb_set_transport_header(skb, -(int)sizeof(struct icmphdr));