Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 4e704ee3 authored by Herbert Xu's avatar Herbert Xu Committed by David S. Miller
Browse files

gso: Ensure that the packet is long enough 



When we get a GSO packet from an untrusted source, we need to
ensure that it is sufficiently long so that we don't end up
crashing.

Based on discovery and patch by Ian Campbell.

Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
Tested-by: default avatarIan Campbell <ian.campbell@citrix.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent f5572068

net/ipv4/tcp.c

+7 −6
Original line number Diff line number Diff line
@@ -2389,7 +2389,7 @@ struct sk_buff *tcp_tso_segment(struct sk_buff *skb, int features) 
	unsigned int seq;

	__be32 delta;

	unsigned int oldlen;

	unsigned int len;

	unsigned int mss;



	if (!pskb_may_pull(skb, sizeof(*th)))

		goto out;
@@ -2405,10 +2405,13 @@ struct sk_buff *tcp_tso_segment(struct sk_buff *skb, int features) 
	oldlen = (u16)~skb->len;

	__skb_pull(skb, thlen);



	mss = skb_shinfo(skb)->gso_size;

	if (unlikely(skb->len <= mss))

		goto out;



	if (skb_gso_ok(skb, features | NETIF_F_GSO_ROBUST)) {

		/* Packet is from an untrusted source, reset gso_segs. */

		int type = skb_shinfo(skb)->gso_type;

		int mss;



		if (unlikely(type &

			     ~(SKB_GSO_TCPV4 |
@@ -2419,7 +2422,6 @@ struct sk_buff *tcp_tso_segment(struct sk_buff *skb, int features) 
			     !(type & (SKB_GSO_TCPV4 | SKB_GSO_TCPV6))))

			goto out;



		mss = skb_shinfo(skb)->gso_size;

		skb_shinfo(skb)->gso_segs = DIV_ROUND_UP(skb->len, mss);



		segs = NULL;
@@ -2430,8 +2432,7 @@ struct sk_buff *tcp_tso_segment(struct sk_buff *skb, int features) 
	if (IS_ERR(segs))

		goto out;



	len = skb_shinfo(skb)->gso_size;

	delta = htonl(oldlen + (thlen + len));

	delta = htonl(oldlen + (thlen + mss));



	skb = segs;

	th = tcp_hdr(skb);
@@ -2447,7 +2448,7 @@ struct sk_buff *tcp_tso_segment(struct sk_buff *skb, int features) 
			     csum_fold(csum_partial(skb_transport_header(skb),

						    thlen, skb->csum));



		seq += len;

		seq += mss;

		skb = skb->next;

		th = tcp_hdr(skb);