| Message ID | 20210819143447.314539-1-chouhan.shreyansh630@gmail.com |
|---|---|
| State | New |
| Headers | show |
| Series | ip_gre/ip6_gre: add check for invalid csum_start | expand |
Hi, Thank you Jakub and Willem for your reviews. I have separated the changes into two differnet patches. Sorry for the delay. Where can I read about patch targets? I have seen patches with differnet targets but I do not know what they mean/how they work. I was not able to find the documentation for these. Thank you, Shreyansh Chouhan
On Sat, Aug 21, 2021 at 3:18 AM Shreyansh Chouhan <chouhan.shreyansh630@gmail.com> wrote: > > Hi, > > Thank you Jakub and Willem for your reviews. I have separated the > changes into two differnet patches. Sorry for the delay. Thanks Shreyansh > Where can I read about patch targets? I have seen patches with differnet > targets but I do not know what they mean/how they work. I was not able > to find the documentation for these. Targeting these bug fixed to net was the right destination. Documentation/networking/netdev-FAQ.rst has more context on the net vs net-next distinction.
diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c index 12dca0c85f3c..95419b7adf5c 100644 --- a/net/ipv4/ip_gre.c +++ b/net/ipv4/ip_gre.c @@ -473,6 +473,8 @@ static void __gre_xmit(struct sk_buff *skb, struct net_device *dev, static int gre_handle_offloads(struct sk_buff *skb, bool csum) { + if (csum && skb_checksum_start(skb) < skb->data) + return -EINVAL; return iptunnel_handle_offloads(skb, csum ? SKB_GSO_GRE_CSUM : SKB_GSO_GRE); } diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c index bc224f917bbd..7a5e90e09363 100644 --- a/net/ipv6/ip6_gre.c +++ b/net/ipv6/ip6_gre.c @@ -629,6 +629,8 @@ static int gre_rcv(struct sk_buff *skb) static int gre_handle_offloads(struct sk_buff *skb, bool csum) { + if (csum && skb_checksum_start(skb) < skb->data) + return -EINVAL; return iptunnel_handle_offloads(skb, csum ? SKB_GSO_GRE_CSUM : SKB_GSO_GRE); }
If we get a ip gre packet with TUNNEL_CSUM set, an invalid csum_start value causes skb->csum_start offset to be less than the offset for skb->data after we pull the ip header from the packet during the ipgre_xmit call. This patch adds a sanity check to gre_handle_offloads, which checks the validity of skb->csum_start after we have pulled the ip header from the packet in the ipgre_xmit call. Reported-by: syzbot+ff8e1b9f2f36481e2efc@syzkaller.appspotmail.com Signed-off-by: Shreyansh Chouhan <chouhan.shreyansh630@gmail.com> --- net/ipv4/ip_gre.c | 2 ++ net/ipv6/ip6_gre.c | 2 ++ 2 files changed, 4 insertions(+)