This is a note to let you know that I've just added the patch titled ipv6: avoid overflow of offset in ip6_find_1stfragopt to the 3.18-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch and it can be found in the queue-3.18 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From foo@baz Tue Aug 8 16:54:20 PDT 2017 From: Sabrina Dubroca <sd@xxxxxxxxxxxxxxx> Date: Wed, 19 Jul 2017 22:28:55 +0200 Subject: ipv6: avoid overflow of offset in ip6_find_1stfragopt From: Sabrina Dubroca <sd@xxxxxxxxxxxxxxx> [ Upstream commit 6399f1fae4ec29fab5ec76070435555e256ca3a6 ] In some cases, offset can overflow and can cause an infinite loop in ip6_find_1stfragopt(). Make it unsigned int to prevent the overflow, and cap it at IPV6_MAXPLEN, since packets larger than that should be invalid. This problem has been here since before the beginning of git history. Signed-off-by: Sabrina Dubroca <sd@xxxxxxxxxxxxxxx> Acked-by: Hannes Frederic Sowa <hannes@xxxxxxxxxxxxxxxxxxx> Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- net/ipv6/output_core.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) --- a/net/ipv6/output_core.c +++ b/net/ipv6/output_core.c @@ -44,7 +44,7 @@ EXPORT_SYMBOL_GPL(ipv6_proxy_select_iden int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr) { - u16 offset = sizeof(struct ipv6hdr); + unsigned int offset = sizeof(struct ipv6hdr); unsigned int packet_len = skb_tail_pointer(skb) - skb_network_header(skb); int found_rhdr = 0; @@ -52,6 +52,7 @@ int ip6_find_1stfragopt(struct sk_buff * while (offset <= packet_len) { struct ipv6_opt_hdr *exthdr; + unsigned int len; switch (**nexthdr) { @@ -77,7 +78,10 @@ int ip6_find_1stfragopt(struct sk_buff * exthdr = (struct ipv6_opt_hdr *)(skb_network_header(skb) + offset); - offset += ipv6_optlen(exthdr); + len = ipv6_optlen(exthdr); + if (len + offset >= IPV6_MAXPLEN) + return -EINVAL; + offset += len; *nexthdr = &exthdr->nexthdr; } Patches currently in stable-queue which might be from sd@xxxxxxxxxxxxxxx are queue-3.18/ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch