esp: Fix GRO when the headers not fully in the linear part of the skb.
authorSteffen Klassert <steffen.klassert@secunet.com>
Fri, 5 Jan 2018 07:35:47 +0000 (08:35 +0100)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Sun, 25 Feb 2018 10:07:46 +0000 (11:07 +0100)
commit 374d1b5a81f7f9cc5e7f095ac3d5aff3f6600376 upstream.

The GRO layer does not necessarily pull the complete headers
into the linear part of the skb, a part may remain on the
first page fragment. This can lead to a crash if we try to
pull the headers, so make sure we have them on the linear
part before pulling.

Fixes: 7785bba299a8 ("esp: Add a software GRO codepath")
Reported-by: syzbot+82bbd65569c49c6c0c4d@syzkaller.appspotmail.com
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
net/ipv4/esp4_offload.c
net/ipv6/esp6_offload.c

index 56c49623bb9d735e4beef57e1e46be73ec57d65f..29b333a62ab01d606301ae45a7ec5f198cf1a5a0 100644 (file)
@@ -38,7 +38,8 @@ static struct sk_buff **esp4_gro_receive(struct sk_buff **head,
        __be32 spi;
        int err;
 
-       skb_pull(skb, offset);
+       if (!pskb_pull(skb, offset))
+               return NULL;
 
        if ((err = xfrm_parse_spi(skb, IPPROTO_ESP, &spi, &seq)) != 0)
                goto out;
index 1ea9d794447e78197a543987e4688517eb9dac4f..f52c314d4c97086fba003709f506ec7e408baba8 100644 (file)
@@ -60,7 +60,8 @@ static struct sk_buff **esp6_gro_receive(struct sk_buff **head,
        int nhoff;
        int err;
 
-       skb_pull(skb, offset);
+       if (!pskb_pull(skb, offset))
+               return NULL;
 
        if ((err = xfrm_parse_spi(skb, IPPROTO_ESP, &spi, &seq)) != 0)
                goto out;