diff options
author | Sabrina Dubroca <sd@queasysnail.net> | 2017-07-19 22:28:55 +0200 |
---|---|---|
committer | Ben Hutchings <ben@decadent.org.uk> | 2017-08-26 02:14:05 +0100 |
commit | c5a5d1b1cb8449c77d3cb1663649391635228cff (patch) | |
tree | d9c9f1d34dc502a12cf23844aad35a998db13d4f | |
parent | 408ab21ebbf0c95946502005327a173a475c025c (diff) |
ipv6: avoid overflow of offset in ip6_find_1stfragopt
commit 6399f1fae4ec29fab5ec76070435555e256ca3a6 upstream.
In some cases, offset can overflow and can cause an infinite loop in
ip6_find_1stfragopt(). Make it unsigned int to prevent the overflow, and
cap it at IPV6_MAXPLEN, since packets larger than that should be invalid.
This problem has been here since before the beginning of git history.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.2: adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
-rw-r--r-- | net/ipv6/ip6_output.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c index dd8aca80b6fe..a2a085299f68 100644 --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c @@ -561,13 +561,14 @@ static void ip6_copy_metadata(struct sk_buff *to, struct sk_buff *from) int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr) { - u16 offset = sizeof(struct ipv6hdr); + unsigned int offset = sizeof(struct ipv6hdr); unsigned int packet_len = skb->tail - skb->network_header; int found_rhdr = 0; *nexthdr = &ipv6_hdr(skb)->nexthdr; while (offset <= packet_len) { struct ipv6_opt_hdr *exthdr; + unsigned int len; switch (**nexthdr) { @@ -593,7 +594,10 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr) exthdr = (struct ipv6_opt_hdr *)(skb_network_header(skb) + offset); - offset += ipv6_optlen(exthdr); + len = ipv6_optlen(exthdr); + if (len + offset >= IPV6_MAXPLEN) + return -EINVAL; + offset += len; *nexthdr = &exthdr->nexthdr; } |