net: flow_dissector: fail on evil iph->ihl

commit 6f092343 upstream. We don't validate iph->ihl which may lead a dead loop if we meet a IPIP skb whose iph->ihl is zero. Fix this by failing immediately when iph->ihl is evil (less than 5). This issue were introduced by commit ec5efe79 (rps: support IPIP encapsulation). Cc: Eric Dumazet <edumazet@google.com> Cc: Petr Matousek <pmatouse@redhat.com> Cc: Michael S. Tsirkin <mst@redhat.com> Cc: Daniel Borkmann <dborkman@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com> Acked-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> [bwh: Backported to 3.2: the affected code is in __skb_get_rxhash()] Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

net: flow_dissector: fail on evil iph->ihl
commit 6f092343 upstream. We don't validate iph->ihl which may lead a dead loop if we meet a IPIP skb whose iph->ihl is zero. Fix this by failing immediately when iph->ihl is evil (less than 5). This issue were introduced by commit ec5efe79 (rps: support IPIP encapsulation). Cc: Eric Dumazet <edumazet@google.com> Cc: Petr Matousek <pmatouse@redhat.com> Cc: Michael S. Tsirkin <mst@redhat.com> Cc: Daniel Borkmann <dborkman@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com> Acked-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> [bwh: Backported to 3.2: the affected code is in __skb_get_rxhash()] Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
f7d537dc · Jason Wang · Ben Hutchings · cc5285f4 · f7d537dc
Commit f7d537dc authored Nov 01, 2013 by Jason Wang Committed by Ben Hutchings Jan 03, 2014
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 0 deletions

net/core/dev.c net/core/dev.c +2 -0

No files found.
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -2609,6 +2609,8 @@ void __skb_get_rxhash(struct sk_buff *skb)
 			goto done;

 		ip = (const struct iphdr *) (skb->data + nhoff);
+		if (ip->ihl < 5)
+			goto done;
 		if (ip_is_fragment(ip))
 			ip_proto = 0;
 		else