diff options
| author |   Steffen Klassert <steffen.klassert@secunet.com> | 2018-01-05 08:35:47 +0100 |
|---|---|---|
| committer | Steffen Klassert <steffen.klassert@secunet.com> | 2018-01-09 13:01:58 +0100 |
| commit | 374d1b5a81f7f9cc5e7f095ac3d5aff3f6600376 (patch) | |
| tree | df1c9da30e0dbd9258e90f2713524107520fa6a8 | |
| parent | xfrm: don't call xfrm_policy_cache_flush while holding spinlock (diff) | |
| download | linux-dev-374d1b5a81f7f9cc5e7f095ac3d5aff3f6600376.tar.xz linux-dev-374d1b5a81f7f9cc5e7f095ac3d5aff3f6600376.zip | |
esp: Fix GRO when the headers not fully in the linear part of the skb.
The GRO layer does not necessarily pull the complete headers
into the linear part of the skb, a part may remain on the
first page fragment. This can lead to a crash if we try to
pull the headers, so make sure we have them on the linear
part before pulling.
Fixes: 7785bba299a8 ("esp: Add a software GRO codepath")
Reported-by: syzbot+82bbd65569c49c6c0c4d@syzkaller.appspotmail.com
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
| -rw-r--r-- | net/ipv4/esp4_offload.c | 3 | ||||
| -rw-r--r-- | net/ipv6/esp6_offload.c | 3 |
2 files changed, 4 insertions, 2 deletions
diff --git a/net/ipv4/esp4_offload.c b/net/ipv4/esp4_offload.c index f8b918c766b0..b1338e576d00 100644 --- a/net/ipv4/esp4_offload.c +++ b/net/ipv4/esp4_offload.c @@ -38,7 +38,8 @@ static struct sk_buff **esp4_gro_receive(struct sk_buff **head, __be32 spi; int err; - skb_pull(skb, offset); + if (!pskb_pull(skb, offset)) + return NULL; if ((err = xfrm_parse_spi(skb, IPPROTO_ESP, &spi, &seq)) != 0) goto out; diff --git a/net/ipv6/esp6_offload.c b/net/ipv6/esp6_offload.c index 333a478aa161..dd9627490c7c 100644 --- a/net/ipv6/esp6_offload.c +++ b/net/ipv6/esp6_offload.c @@ -60,7 +60,8 @@ static struct sk_buff **esp6_gro_receive(struct sk_buff **head, int nhoff; int err; - skb_pull(skb, offset); + if (!pskb_pull(skb, offset)) + return NULL; if ((err = xfrm_parse_spi(skb, IPPROTO_ESP, &spi, &seq)) != 0) goto out; |