redonkable
/
remarkable-linux
1
0
Fork 0
Code Releases Activity

esp: Fix GRO when the headers not fully in the linear part of the skb. 

commit 374d1b5a81 upstream.

The GRO layer does not necessarily pull the complete headers
into the linear part of the skb, a part may remain on the
first page fragment. This can lead to a crash if we try to
pull the headers, so make sure we have them on the linear
part before pulling.

Fixes: 7785bba299 ("esp: Add a software GRO codepath")
Reported-by: syzbot+82bbd65569c49c6c0c4d@syzkaller.appspotmail.com
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
pull/10/head
Steffen Klassert 2018-01-05 08:35:47 +01:00 committed by Greg Kroah-Hartman
parent 447f1170c2
commit 2019413609
2 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
net/ipv4/esp4_offload.c
View File

@ -38,7 +38,8 @@ static struct sk_buff **esp4_gro_receive(struct sk_buff **head,
__be32 spi;
int err;
skb_pull(skb, offset);
if (!pskb_pull(skb, offset))
return NULL;
if ((err = xfrm_parse_spi(skb, IPPROTO_ESP, &spi, &seq)) != 0)
goto out;

3
net/ipv6/esp6_offload.c
View File

@ -60,7 +60,8 @@ static struct sk_buff **esp6_gro_receive(struct sk_buff **head,
int nhoff;
int err;
skb_pull(skb, offset);
if (!pskb_pull(skb, offset))
return NULL;
if ((err = xfrm_parse_spi(skb, IPPROTO_ESP, &spi, &seq)) != 0)
goto out;