[IPV4]: ipip and ip_gre encapsulation bugs
Handling of ipip and ip_gre ICMP error relaying is b0rken; it accesses 8bit field + 3 reserved octets as host-endian 32bit, does comparison, subtraction and stuffs the result back. That breaks on big-endian. Fixed, made endian-clean. [ Note that this effected code is permanently commented out with and ifdef, so this error couldn't actually cause problems for anyone. -DaveM ] Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
593f16aa62
commit
c55e2f4997
2 changed files with 25 additions and 20 deletions
|
@ -393,7 +393,8 @@ static void ipgre_err(struct sk_buff *skb, u32 info)
|
|||
int code = skb->h.icmph->code;
|
||||
int rel_type = 0;
|
||||
int rel_code = 0;
|
||||
int rel_info = 0;
|
||||
__be32 rel_info = 0;
|
||||
__u32 n = 0;
|
||||
u16 flags;
|
||||
int grehlen = (iph->ihl<<2) + 4;
|
||||
struct sk_buff *skb2;
|
||||
|
@ -422,14 +423,16 @@ static void ipgre_err(struct sk_buff *skb, u32 info)
|
|||
default:
|
||||
return;
|
||||
case ICMP_PARAMETERPROB:
|
||||
if (skb->h.icmph->un.gateway < (iph->ihl<<2))
|
||||
n = ntohl(skb->h.icmph->un.gateway) >> 24;
|
||||
if (n < (iph->ihl<<2))
|
||||
return;
|
||||
|
||||
/* So... This guy found something strange INSIDE encapsulated
|
||||
packet. Well, he is fool, but what can we do ?
|
||||
*/
|
||||
rel_type = ICMP_PARAMETERPROB;
|
||||
rel_info = skb->h.icmph->un.gateway - grehlen;
|
||||
n -= grehlen;
|
||||
rel_info = htonl(n << 24);
|
||||
break;
|
||||
|
||||
case ICMP_DEST_UNREACH:
|
||||
|
@ -440,13 +443,14 @@ static void ipgre_err(struct sk_buff *skb, u32 info)
|
|||
return;
|
||||
case ICMP_FRAG_NEEDED:
|
||||
/* And it is the only really necessary thing :-) */
|
||||
rel_info = ntohs(skb->h.icmph->un.frag.mtu);
|
||||
if (rel_info < grehlen+68)
|
||||
n = ntohs(skb->h.icmph->un.frag.mtu);
|
||||
if (n < grehlen+68)
|
||||
return;
|
||||
rel_info -= grehlen;
|
||||
n -= grehlen;
|
||||
/* BSD 4.2 MORE DOES NOT EXIST IN NATURE. */
|
||||
if (rel_info > ntohs(eiph->tot_len))
|
||||
if (n > ntohs(eiph->tot_len))
|
||||
return;
|
||||
rel_info = htonl(n);
|
||||
break;
|
||||
default:
|
||||
/* All others are translated to HOST_UNREACH.
|
||||
|
@ -508,12 +512,11 @@ static void ipgre_err(struct sk_buff *skb, u32 info)
|
|||
|
||||
/* change mtu on this route */
|
||||
if (type == ICMP_DEST_UNREACH && code == ICMP_FRAG_NEEDED) {
|
||||
if (rel_info > dst_mtu(skb2->dst)) {
|
||||
if (n > dst_mtu(skb2->dst)) {
|
||||
kfree_skb(skb2);
|
||||
return;
|
||||
}
|
||||
skb2->dst->ops->update_pmtu(skb2->dst, rel_info);
|
||||
rel_info = htonl(rel_info);
|
||||
skb2->dst->ops->update_pmtu(skb2->dst, n);
|
||||
} else if (type == ICMP_TIME_EXCEEDED) {
|
||||
struct ip_tunnel *t = netdev_priv(skb2->dev);
|
||||
if (t->parms.iph.ttl) {
|
||||
|
|
|
@ -341,7 +341,8 @@ static int ipip_err(struct sk_buff *skb, u32 info)
|
|||
int code = skb->h.icmph->code;
|
||||
int rel_type = 0;
|
||||
int rel_code = 0;
|
||||
int rel_info = 0;
|
||||
__be32 rel_info = 0;
|
||||
__u32 n = 0;
|
||||
struct sk_buff *skb2;
|
||||
struct flowi fl;
|
||||
struct rtable *rt;
|
||||
|
@ -354,14 +355,15 @@ static int ipip_err(struct sk_buff *skb, u32 info)
|
|||
default:
|
||||
return 0;
|
||||
case ICMP_PARAMETERPROB:
|
||||
if (skb->h.icmph->un.gateway < hlen)
|
||||
n = ntohl(skb->h.icmph->un.gateway) >> 24;
|
||||
if (n < hlen)
|
||||
return 0;
|
||||
|
||||
/* So... This guy found something strange INSIDE encapsulated
|
||||
packet. Well, he is fool, but what can we do ?
|
||||
*/
|
||||
rel_type = ICMP_PARAMETERPROB;
|
||||
rel_info = skb->h.icmph->un.gateway - hlen;
|
||||
rel_info = htonl((n - hlen) << 24);
|
||||
break;
|
||||
|
||||
case ICMP_DEST_UNREACH:
|
||||
|
@ -372,13 +374,14 @@ static int ipip_err(struct sk_buff *skb, u32 info)
|
|||
return 0;
|
||||
case ICMP_FRAG_NEEDED:
|
||||
/* And it is the only really necessary thing :-) */
|
||||
rel_info = ntohs(skb->h.icmph->un.frag.mtu);
|
||||
if (rel_info < hlen+68)
|
||||
n = ntohs(skb->h.icmph->un.frag.mtu);
|
||||
if (n < hlen+68)
|
||||
return 0;
|
||||
rel_info -= hlen;
|
||||
n -= hlen;
|
||||
/* BSD 4.2 MORE DOES NOT EXIST IN NATURE. */
|
||||
if (rel_info > ntohs(eiph->tot_len))
|
||||
if (n > ntohs(eiph->tot_len))
|
||||
return 0;
|
||||
rel_info = htonl(n);
|
||||
break;
|
||||
default:
|
||||
/* All others are translated to HOST_UNREACH.
|
||||
|
@ -440,12 +443,11 @@ static int ipip_err(struct sk_buff *skb, u32 info)
|
|||
|
||||
/* change mtu on this route */
|
||||
if (type == ICMP_DEST_UNREACH && code == ICMP_FRAG_NEEDED) {
|
||||
if (rel_info > dst_mtu(skb2->dst)) {
|
||||
if (n > dst_mtu(skb2->dst)) {
|
||||
kfree_skb(skb2);
|
||||
return 0;
|
||||
}
|
||||
skb2->dst->ops->update_pmtu(skb2->dst, rel_info);
|
||||
rel_info = htonl(rel_info);
|
||||
skb2->dst->ops->update_pmtu(skb2->dst, n);
|
||||
} else if (type == ICMP_TIME_EXCEEDED) {
|
||||
struct ip_tunnel *t = netdev_priv(skb2->dev);
|
||||
if (t->parms.iph.ttl) {
|
||||
|
|
Loading…
Reference in a new issue