Kernel/linux-next
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git synced 2025-01-07 22:42:04 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

bareudp: Fix invalid read beyond skb's linear data

Browse Source 
Data beyond the UDP header might not be part of the skb's linear data.
Use skb_copy_bits() instead of direct access to skb->data+X, so that
we read the correct bytes even on a fragmented skb.

Fixes: 4b5f67232d ("net: Special handling for IP & MPLS.")
Signed-off-by: Guillaume Nault <gnault@redhat.com>
Link: https://lore.kernel.org/r/7741c46545c6ef02e70c80a9b32814b22d9616b3.1628264975.git.gnault@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
This commit is contained in:
Guillaume Nault 2021-08-06 17:52:06 +02:00 committed by Jakub Kicinski
parent d6e712aa7e
commit 143a8526ab
1 changed files with 11 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
drivers/net/bareudp.c
View File

@ -71,12 +71,18 @@ static int bareudp_udp_encap_recv(struct sock *sk, struct sk_buff *skb)
family = AF_INET6;
if (bareudp->ethertype == htons(ETH_P_IP)) {
struct iphdr *iphdr;
__u8 ipversion;
iphdr = (struct iphdr *)(skb->data + BAREUDP_BASE_HLEN);
if (iphdr->version == 4) {
proto = bareudp->ethertype;
} else if (bareudp->multi_proto_mode && (iphdr->version == 6)) {
if (skb_copy_bits(skb, BAREUDP_BASE_HLEN, &ipversion,
sizeof(ipversion))) {
bareudp->dev->stats.rx_dropped++;
goto drop;
}
ipversion >>= 4;
if (ipversion == 4) {
proto = htons(ETH_P_IP);
} else if (ipversion == 6 && bareudp->multi_proto_mode) {
proto = htons(ETH_P_IPV6);
} else {
bareudp->dev->stats.rx_dropped++;