From: Ahmed Abdelsalam <ahabdels@xxxxxxxxx>
Date: Wed, 3 Jun 2020 06:54:42 +0000
> The seg6_validate_srh() is used to validate SRH for three cases:
>
> case1: SRH of data-plane SRv6 packets to be processed by the Linux kernel.
> Case2: SRH of the netlink message received from user-space (iproute2)
> Case3: SRH injected into packets through setsockopt
>
> In case1, the SRH can be encoded in the Reduced way (i.e., first SID is
> carried in DA only and not represented as SID in the SRH) and the
> seg6_validate_srh() now handles this case correctly.
>
> In case2 and case3, the SRH shouldnʼt be encoded in the Reduced way
> otherwise we lose the first segment (i.e., the first hop).
>
> The current implementation of the seg6_validate_srh() allow SRH of case2
> and case3 to be encoded in the Reduced way. This leads a slab-out-of-bounds
> problem.
>
> This patch verifies SRH of case1, case2 and case3. Allowing case1 to be
> reduced while preventing SRH of case2 and case3 from being reduced .
>
> Reported-by: syzbot+e8c028b62439eac42073@xxxxxxxxxxxxxxxxxxxxxxxxx
> Reported-by: YueHaibing <yuehaibing@xxxxxxxxxx>
> Fixes: 0cb7498f234e ("seg6: fix SRH processing to comply with RFC8754")
> Signed-off-by: Ahmed Abdelsalam <ahabdels@xxxxxxxxx>
Applied, thanks.
