summaryrefslogtreecommitdiffstats
path: root/net/ipv4
diff options
context:
space:
mode:
authorSteffen Klassert <steffen.klassert@secunet.com>2022-03-07 13:11:39 +0100
committerSteffen Klassert <steffen.klassert@secunet.com>2022-03-07 13:14:03 +0100
commitebe48d368e97d007bfeb76fcb065d6cfc4c96645 (patch)
treeeaf068b3acda81ceaad0143fed5851d21a5e8bef /net/ipv4
parentRevert "xfrm: state and policy should fail if XFRMA_IF_ID 0" (diff)
downloadlinux-ebe48d368e97d007bfeb76fcb065d6cfc4c96645.tar.xz
linux-ebe48d368e97d007bfeb76fcb065d6cfc4c96645.zip
esp: Fix possible buffer overflow in ESP transformation
The maximum message size that can be send is bigger than the maximum site that skb_page_frag_refill can allocate. So it is possible to write beyond the allocated buffer. Fix this by doing a fallback to COW in that case. v2: Avoid get get_order() costs as suggested by Linus Torvalds. Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible") Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible") Reported-by: valis <sec@valis.email> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Diffstat (limited to 'net/ipv4')
-rw-r--r--net/ipv4/esp4.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
index e1b1d080e908..70e6c87fbe3d 100644
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -446,6 +446,7 @@ int esp_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *
struct page *page;
struct sk_buff *trailer;
int tailen = esp->tailen;
+ unsigned int allocsz;
/* this is non-NULL only with TCP/UDP Encapsulation */
if (x->encap) {
@@ -455,6 +456,10 @@ int esp_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *
return err;
}
+ allocsz = ALIGN(skb->data_len + tailen, L1_CACHE_BYTES);
+ if (allocsz > ESP_SKB_FRAG_MAXSIZE)
+ goto cow;
+
if (!skb_cloned(skb)) {
if (tailen <= skb_tailroom(skb)) {
nfrags = 1;