[IPV4]: ipip and ip_gre encapsulation bugs

Handling of ipip and ip_gre ICMP error relaying is b0rken; it accesses
8bit field + 3 reserved octets as host-endian 32bit, does comparison,
subtraction and stuffs the result back.  That breaks on big-endian.

Fixed, made endian-clean.

[ Note that this effected code is permanently commented out with
  and ifdef, so this error couldn't actually cause problems for
  anyone. -DaveM ]

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Al Viro 2006-09-19 13:23:19 -07:00 committed by David S. Miller
parent 593f16aa62
commit c55e2f4997
2 changed files with 25 additions and 20 deletions

View file

@ -393,7 +393,8 @@ static void ipgre_err(struct sk_buff *skb, u32 info)
int code = skb->h.icmph->code;
int rel_type = 0;
int rel_code = 0;
int rel_info = 0;
__be32 rel_info = 0;
__u32 n = 0;
u16 flags;
int grehlen = (iph->ihl<<2) + 4;
struct sk_buff *skb2;
@ -422,14 +423,16 @@ static void ipgre_err(struct sk_buff *skb, u32 info)
default:
return;
case ICMP_PARAMETERPROB:
if (skb->h.icmph->un.gateway < (iph->ihl<<2))
n = ntohl(skb->h.icmph->un.gateway) >> 24;
if (n < (iph->ihl<<2))
return;
/* So... This guy found something strange INSIDE encapsulated
packet. Well, he is fool, but what can we do ?
*/
rel_type = ICMP_PARAMETERPROB;
rel_info = skb->h.icmph->un.gateway - grehlen;
n -= grehlen;
rel_info = htonl(n << 24);
break;
case ICMP_DEST_UNREACH:
@ -440,13 +443,14 @@ static void ipgre_err(struct sk_buff *skb, u32 info)
return;
case ICMP_FRAG_NEEDED:
/* And it is the only really necessary thing :-) */
rel_info = ntohs(skb->h.icmph->un.frag.mtu);
if (rel_info < grehlen+68)
n = ntohs(skb->h.icmph->un.frag.mtu);
if (n < grehlen+68)
return;
rel_info -= grehlen;
n -= grehlen;
/* BSD 4.2 MORE DOES NOT EXIST IN NATURE. */
if (rel_info > ntohs(eiph->tot_len))
if (n > ntohs(eiph->tot_len))
return;
rel_info = htonl(n);
break;
default:
/* All others are translated to HOST_UNREACH.
@ -508,12 +512,11 @@ static void ipgre_err(struct sk_buff *skb, u32 info)
/* change mtu on this route */
if (type == ICMP_DEST_UNREACH && code == ICMP_FRAG_NEEDED) {
if (rel_info > dst_mtu(skb2->dst)) {
if (n > dst_mtu(skb2->dst)) {
kfree_skb(skb2);
return;
}
skb2->dst->ops->update_pmtu(skb2->dst, rel_info);
rel_info = htonl(rel_info);
skb2->dst->ops->update_pmtu(skb2->dst, n);
} else if (type == ICMP_TIME_EXCEEDED) {
struct ip_tunnel *t = netdev_priv(skb2->dev);
if (t->parms.iph.ttl) {

View file

@ -341,7 +341,8 @@ static int ipip_err(struct sk_buff *skb, u32 info)
int code = skb->h.icmph->code;
int rel_type = 0;
int rel_code = 0;
int rel_info = 0;
__be32 rel_info = 0;
__u32 n = 0;
struct sk_buff *skb2;
struct flowi fl;
struct rtable *rt;
@ -354,14 +355,15 @@ static int ipip_err(struct sk_buff *skb, u32 info)
default:
return 0;
case ICMP_PARAMETERPROB:
if (skb->h.icmph->un.gateway < hlen)
n = ntohl(skb->h.icmph->un.gateway) >> 24;
if (n < hlen)
return 0;
/* So... This guy found something strange INSIDE encapsulated
packet. Well, he is fool, but what can we do ?
*/
rel_type = ICMP_PARAMETERPROB;
rel_info = skb->h.icmph->un.gateway - hlen;
rel_info = htonl((n - hlen) << 24);
break;
case ICMP_DEST_UNREACH:
@ -372,13 +374,14 @@ static int ipip_err(struct sk_buff *skb, u32 info)
return 0;
case ICMP_FRAG_NEEDED:
/* And it is the only really necessary thing :-) */
rel_info = ntohs(skb->h.icmph->un.frag.mtu);
if (rel_info < hlen+68)
n = ntohs(skb->h.icmph->un.frag.mtu);
if (n < hlen+68)
return 0;
rel_info -= hlen;
n -= hlen;
/* BSD 4.2 MORE DOES NOT EXIST IN NATURE. */
if (rel_info > ntohs(eiph->tot_len))
if (n > ntohs(eiph->tot_len))
return 0;
rel_info = htonl(n);
break;
default:
/* All others are translated to HOST_UNREACH.
@ -440,12 +443,11 @@ static int ipip_err(struct sk_buff *skb, u32 info)
/* change mtu on this route */
if (type == ICMP_DEST_UNREACH && code == ICMP_FRAG_NEEDED) {
if (rel_info > dst_mtu(skb2->dst)) {
if (n > dst_mtu(skb2->dst)) {
kfree_skb(skb2);
return 0;
}
skb2->dst->ops->update_pmtu(skb2->dst, rel_info);
rel_info = htonl(rel_info);
skb2->dst->ops->update_pmtu(skb2->dst, n);
} else if (type == ICMP_TIME_EXCEEDED) {
struct ip_tunnel *t = netdev_priv(skb2->dev);
if (t->parms.iph.ttl) {