LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
* [PATCH] ip_gre/ip6_gre: add check for invalid csum_start
@ 2021-08-19 14:34 Shreyansh Chouhan
  2021-08-19 16:56 ` Willem de Bruijn
  0 siblings, 1 reply; 14+ messages in thread
From: Shreyansh Chouhan @ 2021-08-19 14:34 UTC (permalink / raw)
  To: davem, yoshfuji, dsahern, kuba, willemdebruijn.kernel
  Cc: Shreyansh Chouhan, netdev, linux-kernel, syzbot+ff8e1b9f2f36481e2efc

If we get a ip gre packet with TUNNEL_CSUM set, an invalid csum_start
value causes skb->csum_start offset to be less than the offset for
skb->data after we pull the ip header from the packet during the
ipgre_xmit call.

This patch adds a sanity check to gre_handle_offloads, which checks the
validity of skb->csum_start after we have pulled the ip header from the
packet in the ipgre_xmit call.

Reported-by: syzbot+ff8e1b9f2f36481e2efc@syzkaller.appspotmail.com
Signed-off-by: Shreyansh Chouhan <chouhan.shreyansh630@gmail.com>
---
 net/ipv4/ip_gre.c  | 2 ++
 net/ipv6/ip6_gre.c | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
index 12dca0c85f3c..95419b7adf5c 100644
--- a/net/ipv4/ip_gre.c
+++ b/net/ipv4/ip_gre.c
@@ -473,6 +473,8 @@ static void __gre_xmit(struct sk_buff *skb, struct net_device *dev,
 
 static int gre_handle_offloads(struct sk_buff *skb, bool csum)
 {
+	if (csum && skb_checksum_start(skb) < skb->data)
+		return -EINVAL;
 	return iptunnel_handle_offloads(skb, csum ? SKB_GSO_GRE_CSUM : SKB_GSO_GRE);
 }
 
diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
index bc224f917bbd..7a5e90e09363 100644
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -629,6 +629,8 @@ static int gre_rcv(struct sk_buff *skb)
 
 static int gre_handle_offloads(struct sk_buff *skb, bool csum)
 {
+	if (csum && skb_checksum_start(skb) < skb->data)
+		return -EINVAL;
 	return iptunnel_handle_offloads(skb,
 					csum ? SKB_GSO_GRE_CSUM : SKB_GSO_GRE);
 }
-- 
2.31.1


^ permalink raw reply	[flat|nested] 14+ messages in thread

end of thread, other threads:[~2021-09-01 21:40 UTC | newest]

Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-19 14:34 [PATCH] ip_gre/ip6_gre: add check for invalid csum_start Shreyansh Chouhan
2021-08-19 16:56 ` Willem de Bruijn
2021-08-19 17:04   ` Jakub Kicinski
2021-08-21  7:14     ` [PATCH 1/2 net] ip_gre: add validation for csum_start Shreyansh Chouhan
2021-08-21 13:41       ` Willem de Bruijn
2021-09-01 11:53         ` Ido Schimmel
2021-09-01 13:46           ` Willem de Bruijn
2021-09-01 15:53             ` Ido Schimmel
2021-09-01 21:39               ` Willem de Bruijn
2021-08-22 20:30       ` patchwork-bot+netdevbpf
2021-08-21  7:14     ` [PATCH 2/2 net] ip6_gre: " Shreyansh Chouhan
2021-08-21 13:42       ` Willem de Bruijn
2021-08-21  7:18     ` [PATCH] ip_gre/ip6_gre: add check for invalid csum_start Shreyansh Chouhan
2021-08-21 13:44       ` Willem de Bruijn

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).