diff options
author | Steffen Klassert <steffen.klassert@secunet.com> | 2022-03-07 13:11:39 +0100 |
---|---|---|
committer | Steffen Klassert <steffen.klassert@secunet.com> | 2022-03-07 13:14:03 +0100 |
commit | ebe48d368e97d007bfeb76fcb065d6cfc4c96645 (patch) | |
tree | eaf068b3acda81ceaad0143fed5851d21a5e8bef /include | |
parent | Revert "xfrm: state and policy should fail if XFRMA_IF_ID 0" (diff) | |
download | linux-ebe48d368e97d007bfeb76fcb065d6cfc4c96645.tar.xz linux-ebe48d368e97d007bfeb76fcb065d6cfc4c96645.zip |
esp: Fix possible buffer overflow in ESP transformation
The maximum message size that can be send is bigger than
the maximum site that skb_page_frag_refill can allocate.
So it is possible to write beyond the allocated buffer.
Fix this by doing a fallback to COW in that case.
v2:
Avoid get get_order() costs as suggested by Linus Torvalds.
Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")
Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible")
Reported-by: valis <sec@valis.email>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Diffstat (limited to 'include')
-rw-r--r-- | include/net/esp.h | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/include/net/esp.h b/include/net/esp.h index 9c5637d41d95..90cd02ff77ef 100644 --- a/include/net/esp.h +++ b/include/net/esp.h @@ -4,6 +4,8 @@ #include <linux/skbuff.h> +#define ESP_SKB_FRAG_MAXSIZE (PAGE_SIZE << SKB_FRAG_PAGE_ORDER) + struct ip_esp_hdr; static inline struct ip_esp_hdr *ip_esp_hdr(const struct sk_buff *skb) |