mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-10-05 16:37:50 +00:00
esp: Fix GRO when the headers not fully in the linear part of the skb.
commit374d1b5a81
upstream. The GRO layer does not necessarily pull the complete headers into the linear part of the skb, a part may remain on the first page fragment. This can lead to a crash if we try to pull the headers, so make sure we have them on the linear part before pulling. Fixes:7785bba299
("esp: Add a software GRO codepath") Reported-by: syzbot+82bbd65569c49c6c0c4d@syzkaller.appspotmail.com Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
parent
447f1170c2
commit
2019413609
2 changed files with 4 additions and 2 deletions
|
@ -38,7 +38,8 @@ static struct sk_buff **esp4_gro_receive(struct sk_buff **head,
|
||||||
__be32 spi;
|
__be32 spi;
|
||||||
int err;
|
int err;
|
||||||
|
|
||||||
skb_pull(skb, offset);
|
if (!pskb_pull(skb, offset))
|
||||||
|
return NULL;
|
||||||
|
|
||||||
if ((err = xfrm_parse_spi(skb, IPPROTO_ESP, &spi, &seq)) != 0)
|
if ((err = xfrm_parse_spi(skb, IPPROTO_ESP, &spi, &seq)) != 0)
|
||||||
goto out;
|
goto out;
|
||||||
|
|
|
@ -60,7 +60,8 @@ static struct sk_buff **esp6_gro_receive(struct sk_buff **head,
|
||||||
int nhoff;
|
int nhoff;
|
||||||
int err;
|
int err;
|
||||||
|
|
||||||
skb_pull(skb, offset);
|
if (!pskb_pull(skb, offset))
|
||||||
|
return NULL;
|
||||||
|
|
||||||
if ((err = xfrm_parse_spi(skb, IPPROTO_ESP, &spi, &seq)) != 0)
|
if ((err = xfrm_parse_spi(skb, IPPROTO_ESP, &spi, &seq)) != 0)
|
||||||
goto out;
|
goto out;
|
||||||
|
|
Loading…
Reference in a new issue