Re: [PATCH v2] net: ipv6: fix skb_over_panic in __ip6_append_data

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 3/10/22 14:43, Willem de Bruijn wrote:
On Thu, Mar 10, 2022 at 5:30 PM Jakub Kicinski <kuba@xxxxxxxxxx> wrote:

On Thu, 10 Mar 2022 14:13:28 -0800 Tadeusz Struk wrote:
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 4788f6b37053..6d45112322a0 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -1649,6 +1649,16 @@ static int __ip6_append_data(struct sock *sk,
                       skb->protocol = htons(ETH_P_IPV6);
                       skb->ip_summed = csummode;
                       skb->csum = 0;
+
+                     /*
+                      *      Check if there is still room for payload
+                      */

TBH I think the check is self-explanatory. Not worth a banner comment,
for sure.

+                     if (fragheaderlen >= mtu) {
+                             err = -EMSGSIZE;
+                             kfree_skb(skb);
+                             goto error;
+                     }

Not sure if Willem prefers this placement, but seems like we can lift
this check out of the loop, as soon as fragheaderlen and mtu are known.

                       /* reserve for fragmentation and ipsec header */
                       skb_reserve(skb, hh_len + sizeof(struct frag_hdr) +
                                   dst_exthdrlen);

Just updating this boundary check will do?

         if (mtu < fragheaderlen ||
             ((mtu - fragheaderlen) & ~7) + fragheaderlen <
sizeof(struct frag_hdr))
                 goto emsgsize;

Yes, it will. v3 on its way.

--
Thanks,
Tadeusz



[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux