mirror of
https://github.com/adulau/aha.git
synced 2025-01-01 05:36:24 +00:00
gso: Ensure that the packet is long enough
When we get a GSO packet from an untrusted source, we need to ensure that it is sufficiently long so that we don't end up crashing. Based on discovery and patch by Ian Campbell. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Tested-by: Ian Campbell <ian.campbell@citrix.com> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
f557206800
commit
4e704ee3c2
1 changed files with 7 additions and 6 deletions
|
@ -2389,7 +2389,7 @@ struct sk_buff *tcp_tso_segment(struct sk_buff *skb, int features)
|
||||||
unsigned int seq;
|
unsigned int seq;
|
||||||
__be32 delta;
|
__be32 delta;
|
||||||
unsigned int oldlen;
|
unsigned int oldlen;
|
||||||
unsigned int len;
|
unsigned int mss;
|
||||||
|
|
||||||
if (!pskb_may_pull(skb, sizeof(*th)))
|
if (!pskb_may_pull(skb, sizeof(*th)))
|
||||||
goto out;
|
goto out;
|
||||||
|
@ -2405,10 +2405,13 @@ struct sk_buff *tcp_tso_segment(struct sk_buff *skb, int features)
|
||||||
oldlen = (u16)~skb->len;
|
oldlen = (u16)~skb->len;
|
||||||
__skb_pull(skb, thlen);
|
__skb_pull(skb, thlen);
|
||||||
|
|
||||||
|
mss = skb_shinfo(skb)->gso_size;
|
||||||
|
if (unlikely(skb->len <= mss))
|
||||||
|
goto out;
|
||||||
|
|
||||||
if (skb_gso_ok(skb, features | NETIF_F_GSO_ROBUST)) {
|
if (skb_gso_ok(skb, features | NETIF_F_GSO_ROBUST)) {
|
||||||
/* Packet is from an untrusted source, reset gso_segs. */
|
/* Packet is from an untrusted source, reset gso_segs. */
|
||||||
int type = skb_shinfo(skb)->gso_type;
|
int type = skb_shinfo(skb)->gso_type;
|
||||||
int mss;
|
|
||||||
|
|
||||||
if (unlikely(type &
|
if (unlikely(type &
|
||||||
~(SKB_GSO_TCPV4 |
|
~(SKB_GSO_TCPV4 |
|
||||||
|
@ -2419,7 +2422,6 @@ struct sk_buff *tcp_tso_segment(struct sk_buff *skb, int features)
|
||||||
!(type & (SKB_GSO_TCPV4 | SKB_GSO_TCPV6))))
|
!(type & (SKB_GSO_TCPV4 | SKB_GSO_TCPV6))))
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
mss = skb_shinfo(skb)->gso_size;
|
|
||||||
skb_shinfo(skb)->gso_segs = DIV_ROUND_UP(skb->len, mss);
|
skb_shinfo(skb)->gso_segs = DIV_ROUND_UP(skb->len, mss);
|
||||||
|
|
||||||
segs = NULL;
|
segs = NULL;
|
||||||
|
@ -2430,8 +2432,7 @@ struct sk_buff *tcp_tso_segment(struct sk_buff *skb, int features)
|
||||||
if (IS_ERR(segs))
|
if (IS_ERR(segs))
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
len = skb_shinfo(skb)->gso_size;
|
delta = htonl(oldlen + (thlen + mss));
|
||||||
delta = htonl(oldlen + (thlen + len));
|
|
||||||
|
|
||||||
skb = segs;
|
skb = segs;
|
||||||
th = tcp_hdr(skb);
|
th = tcp_hdr(skb);
|
||||||
|
@ -2447,7 +2448,7 @@ struct sk_buff *tcp_tso_segment(struct sk_buff *skb, int features)
|
||||||
csum_fold(csum_partial(skb_transport_header(skb),
|
csum_fold(csum_partial(skb_transport_header(skb),
|
||||||
thlen, skb->csum));
|
thlen, skb->csum));
|
||||||
|
|
||||||
seq += len;
|
seq += mss;
|
||||||
skb = skb->next;
|
skb = skb->next;
|
||||||
th = tcp_hdr(skb);
|
th = tcp_hdr(skb);
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue