esp: Fix GRO when the headers not fully in the linear part of the skb.

The GRO layer does not necessarily pull the complete headers into the linear part of the skb, a part may remain on the first page fragment. This can lead to a crash if we try to pull the headers, so make sure we have them on the linear part before pulling. Fixes: 7785bba299a8 ("esp: Add a software GRO codepath") Reported-by: syzbot+82bbd65569c49c6c0c4d@syzkaller.appspotmail.com Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
author: Steffen Klassert <steffen.klassert@secunet.com> 2018-01-05 08:35:47 +0100
committer: Steffen Klassert <steffen.klassert@secunet.com> 2018-01-09 13:01:58 +0100
commit: 374d1b5a81f7f9cc5e7f095ac3d5aff3f6600376 (patch)
tree: df1c9da30e0dbd9258e90f2713524107520fa6a8 /net/ipv6/esp6_offload.c
parent: xfrm: don't call xfrm_policy_cache_flush while holding spinlock (diff)
download: linux-374d1b5a81f7f9cc5e7f095ac3d5aff3f6600376.tar.xz
linux-374d1b5a81f7f9cc5e7f095ac3d5aff3f6600376.zip
1 files changed, 2 insertions, 1 deletions
diff --git a/net/ipv6/esp6_offload.c b/net/ipv6/esp6_offload.c
index 333a478aa161..dd9627490c7c 100644
--- a/net/ipv6/esp6_offload.c
+++ b/net/ipv6/esp6_offload.c
@@ -60,7 +60,8 @@ static struct sk_buff **esp6_gro_receive(struct sk_buff **head,
 	int nhoff;
 	int err;
 
-	skb_pull(skb, offset);
+	if (!pskb_pull(skb, offset))
+		return NULL;
 
 	if ((err = xfrm_parse_spi(skb, IPPROTO_ESP, &spi, &seq)) != 0)
 		goto out;
author	Steffen Klassert <steffen.klassert@secunet.com>	2018-01-05 08:35:47 +0100
committer	Steffen Klassert <steffen.klassert@secunet.com>	2018-01-09 13:01:58 +0100
commit	374d1b5a81f7f9cc5e7f095ac3d5aff3f6600376 (patch)
tree	df1c9da30e0dbd9258e90f2713524107520fa6a8 /net/ipv6/esp6_offload.c
parent	xfrm: don't call xfrm_policy_cache_flush while holding spinlock (diff)
download	linux-374d1b5a81f7f9cc5e7f095ac3d5aff3f6600376.tar.xz linux-374d1b5a81f7f9cc5e7f095ac3d5aff3f6600376.zip