Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 157d1c7a authored by Cong Wang's avatar Cong Wang Committed by Greg Kroah-Hartman
Browse files

bonding: validate ip header before check IPPROTO_IGMP 



[ Upstream commit 9d1bc24b52fb8c5d859f9a47084bf1179470e04c ]

bond_xmit_roundrobin() checks for IGMP packets but it parses
the IP header even before checking skb->protocol.

We should validate the IP header with pskb_may_pull() before
using iph->protocol.

Reported-and-tested-by: default avatar <syzbot+e5be16aa39ad6e755391@syzkaller.appspotmail.com>
Fixes: a2fd940f ("bonding: fix broken multicast with round-robin mode")
Cc: Jay Vosburgh <j.vosburgh@gmail.com>
Cc: Veaceslav Falico <vfalico@gmail.com>
Cc: Andy Gospodarek <andy@greyhouse.net>
Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
parent 88f751b0

drivers/net/bonding/bond_main.c

+23 −14
Original line number Diff line number Diff line
@@ -3852,8 +3852,8 @@ static netdev_tx_t bond_xmit_roundrobin(struct sk_buff *skb, 
					struct net_device *bond_dev)

{

	struct bonding *bond = netdev_priv(bond_dev);

	struct iphdr *iph = ip_hdr(skb);

	struct slave *slave;

	int slave_cnt;

	u32 slave_id;



	/* Start with the curr_active_slave that joined the bond as the
@@ -3862,23 +3862,32 @@ static netdev_tx_t bond_xmit_roundrobin(struct sk_buff *skb, 
	 * send the join/membership reports.  The curr_active_slave found

	 * will send all of this type of traffic.

	 */

	if (iph->protocol == IPPROTO_IGMP && skb->protocol == htons(ETH_P_IP)) {

	if (skb->protocol == htons(ETH_P_IP)) {

		int noff = skb_network_offset(skb);

		struct iphdr *iph;



		if (unlikely(!pskb_may_pull(skb, noff + sizeof(*iph))))

			goto non_igmp;



		iph = ip_hdr(skb);

		if (iph->protocol == IPPROTO_IGMP) {

			slave = rcu_dereference(bond->curr_active_slave);

			if (slave)

				bond_dev_queue_xmit(bond, skb, slave->dev);

			else

				bond_xmit_slave_id(bond, skb, 0);

	} else {

		int slave_cnt = READ_ONCE(bond->slave_cnt);

			return NETDEV_TX_OK;

		}

	}



non_igmp:

	slave_cnt = READ_ONCE(bond->slave_cnt);

	if (likely(slave_cnt)) {

		slave_id = bond_rr_gen_slave_id(bond);

		bond_xmit_slave_id(bond, skb, slave_id % slave_cnt);

	} else {

		bond_tx_drop(bond_dev, skb);

	}

	}



	return NETDEV_TX_OK;

}