• Ahmed Abdelsalam's avatar
    seg6: fix seg6_validate_srh() to avoid slab-out-of-bounds · bb986a50
    Ahmed Abdelsalam authored
    The seg6_validate_srh() is used to validate SRH for three cases:
    
    case1: SRH of data-plane SRv6 packets to be processed by the Linux kernel.
    Case2: SRH of the netlink message received  from user-space (iproute2)
    Case3: SRH injected into packets through setsockopt
    
    In case1, the SRH can be encoded in the Reduced way (i.e., first SID is
    carried in DA only and not represented as SID in the SRH) and the
    seg6_validate_srh() now handles this case correctly.
    
    In case2 and case3, the SRH shouldn’t be encoded in the Reduced way
    otherwise we lose the first segment (i.e., the first hop).
    
    The current implementation of the seg6_validate_srh() allow SRH of case2
    and case3 to be encoded in the Reduced way. This leads a slab-out-of-bounds
    problem.
    
    This patch verifies SRH of case1, case2 and case3. Allowing case1 to be
    reduced while preventing SRH of case2 and case3 from being reduced .
    
    Reported-by: syzbot+e8c028b62439eac42073@syzkaller.appspotmail.com
    Reported-by: default avatarYueHaibing <yuehaibing@huawei.com>
    Fixes: 0cb7498f ("seg6: fix SRH processing to comply with RFC8754")
    Signed-off-by: default avatarAhmed Abdelsalam <ahabdels@gmail.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    bb986a50
seg6.h 1.58 KB