[NET]: Verify gso_type too in gso_segment
We don't want nasty Xen guests to pass a TCPv6 packet in with gso_type set to TCPv4 or even UDP (or a packet that's both TCP and UDP). Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
6ce1669fdb
commit
bbcf467dab
3 changed files with 31 additions and 4 deletions
|
@ -1106,7 +1106,15 @@ static struct sk_buff *inet_gso_segment(struct sk_buff *skb, int features)
|
||||||
int ihl;
|
int ihl;
|
||||||
int id;
|
int id;
|
||||||
|
|
||||||
if (!pskb_may_pull(skb, sizeof(*iph)))
|
if (unlikely(skb_shinfo(skb)->gso_type &
|
||||||
|
~(SKB_GSO_TCPV4 |
|
||||||
|
SKB_GSO_UDP |
|
||||||
|
SKB_GSO_DODGY |
|
||||||
|
SKB_GSO_TCP_ECN |
|
||||||
|
0)))
|
||||||
|
goto out;
|
||||||
|
|
||||||
|
if (unlikely(!pskb_may_pull(skb, sizeof(*iph))))
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
iph = skb->nh.iph;
|
iph = skb->nh.iph;
|
||||||
|
@ -1114,7 +1122,7 @@ static struct sk_buff *inet_gso_segment(struct sk_buff *skb, int features)
|
||||||
if (ihl < sizeof(*iph))
|
if (ihl < sizeof(*iph))
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
if (!pskb_may_pull(skb, ihl))
|
if (unlikely(!pskb_may_pull(skb, ihl)))
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
skb->h.raw = __skb_pull(skb, ihl);
|
skb->h.raw = __skb_pull(skb, ihl);
|
||||||
|
@ -1125,7 +1133,7 @@ static struct sk_buff *inet_gso_segment(struct sk_buff *skb, int features)
|
||||||
|
|
||||||
rcu_read_lock();
|
rcu_read_lock();
|
||||||
ops = rcu_dereference(inet_protos[proto]);
|
ops = rcu_dereference(inet_protos[proto]);
|
||||||
if (ops && ops->gso_segment)
|
if (likely(ops && ops->gso_segment))
|
||||||
segs = ops->gso_segment(skb, features);
|
segs = ops->gso_segment(skb, features);
|
||||||
rcu_read_unlock();
|
rcu_read_unlock();
|
||||||
|
|
||||||
|
|
|
@ -2170,8 +2170,19 @@ struct sk_buff *tcp_tso_segment(struct sk_buff *skb, int features)
|
||||||
|
|
||||||
if (skb_gso_ok(skb, features | NETIF_F_GSO_ROBUST)) {
|
if (skb_gso_ok(skb, features | NETIF_F_GSO_ROBUST)) {
|
||||||
/* Packet is from an untrusted source, reset gso_segs. */
|
/* Packet is from an untrusted source, reset gso_segs. */
|
||||||
int mss = skb_shinfo(skb)->gso_size;
|
int type = skb_shinfo(skb)->gso_type;
|
||||||
|
int mss;
|
||||||
|
|
||||||
|
if (unlikely(type &
|
||||||
|
~(SKB_GSO_TCPV4 |
|
||||||
|
SKB_GSO_DODGY |
|
||||||
|
SKB_GSO_TCP_ECN |
|
||||||
|
SKB_GSO_TCPV6 |
|
||||||
|
0) ||
|
||||||
|
!(type & (SKB_GSO_TCPV4 | SKB_GSO_TCPV6))))
|
||||||
|
goto out;
|
||||||
|
|
||||||
|
mss = skb_shinfo(skb)->gso_size;
|
||||||
skb_shinfo(skb)->gso_segs = (skb->len + mss - 1) / mss;
|
skb_shinfo(skb)->gso_segs = (skb->len + mss - 1) / mss;
|
||||||
|
|
||||||
segs = NULL;
|
segs = NULL;
|
||||||
|
|
|
@ -64,6 +64,14 @@ static struct sk_buff *ipv6_gso_segment(struct sk_buff *skb, int features)
|
||||||
struct inet6_protocol *ops;
|
struct inet6_protocol *ops;
|
||||||
int proto;
|
int proto;
|
||||||
|
|
||||||
|
if (unlikely(skb_shinfo(skb)->gso_type &
|
||||||
|
~(SKB_GSO_UDP |
|
||||||
|
SKB_GSO_DODGY |
|
||||||
|
SKB_GSO_TCP_ECN |
|
||||||
|
SKB_GSO_TCPV6 |
|
||||||
|
0)))
|
||||||
|
goto out;
|
||||||
|
|
||||||
if (unlikely(!pskb_may_pull(skb, sizeof(*ipv6h))))
|
if (unlikely(!pskb_may_pull(skb, sizeof(*ipv6h))))
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue