Patch "net: rpl: fix rpl header size calculation" has been added to the 5.10-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Fri, 21 Apr 2023 21:39:29 -0400

This is a note to let you know that I've just added the patch titled

    net: rpl: fix rpl header size calculation

to the 5.10-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     net-rpl-fix-rpl-header-size-calculation.patch
and it can be found in the queue-5.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 3345de0b4651e1fbb70f9282d89055d63f5f3011
Author: Alexander Aring <aahringo@xxxxxxxxxx>
Date:   Mon Apr 17 09:00:52 2023 -0400

    net: rpl: fix rpl header size calculation
    
    [ Upstream commit 4e006c7a6dac0ead4c1bf606000aa90a372fc253 ]
    
    This patch fixes a missing 8 byte for the header size calculation. The
    ipv6_rpl_srh_size() is used to check a skb_pull() on skb->data which
    points to skb_transport_header(). Currently we only check on the
    calculated addresses fields using CmprI and CmprE fields, see:
    
    https://www.rfc-editor.org/rfc/rfc6554#section-3
    
    there is however a missing 8 byte inside the calculation which stands
    for the fields before the addresses field. Those 8 bytes are represented
    by sizeof(struct ipv6_rpl_sr_hdr) expression.
    
    Fixes: 8610c7c6e3bd ("net: ipv6: add support for rpl sr exthdr")
    Signed-off-by: Alexander Aring <aahringo@xxxxxxxxxx>
    Reported-by: maxpl0it <maxpl0it@xxxxxxxxxxxxxx>
    Reviewed-by: David Ahern <dsahern@xxxxxxxxxx>
    Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/ipv6/rpl.c b/net/ipv6/rpl.c
index 307f336b5353e..3b0386437f69d 100644
--- a/net/ipv6/rpl.c
+++ b/net/ipv6/rpl.c
@@ -32,7 +32,8 @@ static void *ipv6_rpl_segdata_pos(const struct ipv6_rpl_sr_hdr *hdr, int i)
 size_t ipv6_rpl_srh_size(unsigned char n, unsigned char cmpri,
 			 unsigned char cmpre)
 {
-	return (n * IPV6_PFXTAIL_LEN(cmpri)) + IPV6_PFXTAIL_LEN(cmpre);
+	return sizeof(struct ipv6_rpl_sr_hdr) + (n * IPV6_PFXTAIL_LEN(cmpri)) +
+		IPV6_PFXTAIL_LEN(cmpre);
 }
 
 void ipv6_rpl_srh_decompress(struct ipv6_rpl_sr_hdr *outhdr,






