Commit 1e4dab5a authored Aug 21, 2021 by Shreyansh Chouhan Committed by Alexander Grund Feb 18, 2022

BACKPORT: ip_gre: add validation for csum_start



[ Upstream commit 1d011c4803c72f3907eccfc1ec63caefb852fcbf ]

Validate csum_start in gre_handle_offloads before we call _gre_xmit so
that we do not crash later when the csum_start value is used in the
lco_csum function call.

This patch deals with ipv4 code.

Fixes: c5441932 ("GRE: Refactor GRE tunneling code.")
Reported-by:  <syzbot+ff8e1b9f2f36481e2efc@syzkaller.appspotmail.com>
Signed-off-by: Shreyansh Chouhan <chouhan.shreyansh630@gmail.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Change-Id: I9dca612e35d2fc085f183ff9bcdcfa4b9cba3d0a
Bug: 150694665

parent 6656bc3c

net/ipv4/ip_gre.c

+4 −0

Original line number	Diff line number	Diff line
		@@ -502,6 +502,10 @@ static void __gre_xmit(struct sk_buff skb, struct net_device dev,
		static struct sk_buff gre_handle_offloads(struct sk_buff skb,
		bool csum)
		{
		unsigned char *skb_checksum_start = skb->head + skb->csum_start;

		if (csum && skb_checksum_start < skb->data)
		return ERR_PTR(-EINVAL);
		return iptunnel_handle_offloads(skb, csum,
		csum ? SKB_GSO_GRE_CSUM : SKB_GSO_GRE);
		}