Commit 34fad54c authored Nov 09, 2016 by Eric Dumazet Committed by David S. Miller Nov 12, 2016

net: __skb_flow_dissect() must cap its return value



After Tom patch, thoff field could point past the end of the buffer,
this could fool some callers.

If an skb was provided, skb->len should be the upper limit.
If not, hlen is supposed to be the upper limit.

Fixes: a6e544b0 ("flow_dissector: Jump to exit code in __skb_flow_dissect")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Yibin Yang <yibyang@cisco.com>
Acked-by: Alexander Duyck <alexander.h.duyck@intel.com>
Acked-by: Willem de Bruijn <willemb@google.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent 79774d6b

net/core/flow_dissector.c

+8 −3

Original line number	Diff line number	Diff line
		@@ -122,7 +122,7 @@ bool __skb_flow_dissect(const struct sk_buff *skb,
		struct flow_dissector_key_keyid *key_keyid;
		bool skip_vlan = false;
		u8 ip_proto = 0;
		bool ret = false;
		bool ret;

		if (!data) {
		data = skb->data;
		@@ -549,12 +549,17 @@ bool __skb_flow_dissect(const struct sk_buff *skb,
		out_good:
		ret = true;

		out_bad:
		key_control->thoff = (u16)nhoff;
		out:
		key_basic->n_proto = proto;
		key_basic->ip_proto = ip_proto;
		key_control->thoff = (u16)nhoff;

		return ret;

		out_bad:
		ret = false;
		key_control->thoff = min_t(u16, nhoff, skb ? skb->len : hlen);
		goto out;
		}
		EXPORT_SYMBOL(__skb_flow_dissect);