net: flow_dissector: fail on evil iph->ihl

We don't validate iph->ihl which may lead a dead loop if we meet a IPIP skb whose iph->ihl is zero. Fix this by failing immediately when iph->ihl is evil (less than 5). This issue were introduced by commit ec5efe79 (rps: support IPIP encapsulation). Cc: Eric Dumazet <edumazet@google.com> Cc: Petr Matousek <pmatouse@redhat.com> Cc: Michael S. Tsirkin <mst@redhat.com> Cc: Daniel Borkmann <dborkman@redhat.com> Signed-off-by: N Jason Wang <jasowang@redhat.com> Acked-by: N Eric Dumazet <edumazet@google.com> Signed-off-by: N David S. Miller <davem@davemloft.net>

net: flow_dissector: fail on evil iph->ihl
We don't validate iph->ihl which may lead a dead loop if we meet a IPIP skb whose iph->ihl is zero. Fix this by failing immediately when iph->ihl is evil (less than 5). This issue were introduced by commit ec5efe79 (rps: support IPIP encapsulation). Cc: Eric Dumazet <edumazet@google.com> Cc: Petr Matousek <pmatouse@redhat.com> Cc: Michael S. Tsirkin <mst@redhat.com> Cc: Daniel Borkmann <dborkman@redhat.com> Signed-off-by: N Jason Wang <jasowang@redhat.com> Acked-by: N Eric Dumazet <edumazet@google.com> Signed-off-by: N David S. Miller <davem@davemloft.net>
6f092343 · Jason Wang · David S. Miller · 2e19ef02 · 6f092343
隐藏空白更改
内联并排

Showing with 1 addition and 1 deletion

net/core/flow_dissector.c net/core/flow_dissector.c +1 -1

未找到文件。
--- a/net/core/flow_dissector.c
+++ b/net/core/flow_dissector.c
@@ -40,7 +40,7 @@ bool skb_flow_dissect(const struct sk_buff *skb, struct flow_keys *flow)
 		struct iphdr _iph;
 ip:
 		iph = skb_header_pointer(skb, nhoff, sizeof(_iph), &_iph);
-		if (!iph)
+		if (!iph || iph->ihl < 5)
 			return false;

 		if (ip_is_fragment(iph))