igmp: limit igmpv3_newpack() packet size to IP_MAX_MTU
commitc3b704d4a4upstream. This is a follow up of commit915d975b2f("net: deal with integer overflows in kmalloc_reserve()") based on David Laight feedback. Back in 2010, I failed to realize malicious users could set dev->mtu to arbitrary values. This mtu has been since limited to 0x7fffffff but regardless of how big dev->mtu is, it makes no sense for igmpv3_newpack() to allocate more than IP_MAX_MTU and risk various skb fields overflows. Fixes:57e1ab6ead("igmp: refine skb allocations") Link: https://lore.kernel.org/netdev/d273628df80f45428e739274ab9ecb72@AcuMS.aculab.com/ Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: David Laight <David.Laight@ACULAB.COM> Cc: Kyle Zeng <zengyhkyle@gmail.com> Reviewed-by: Simon Horman <horms@kernel.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Eric Dumazet
Greg Kroah-Hartman
parent
e4ffc47a1c
commit
87f07ec534
|
|
@ -353,8 +353,9 @@ static struct sk_buff *igmpv3_newpack(struct net_device *dev, unsigned int mtu)
|
|||
struct flowi4 fl4;
|
||||
int hlen = LL_RESERVED_SPACE(dev);
|
||||
int tlen = dev->needed_tailroom;
|
||||
unsigned int size = mtu;
|
||||
unsigned int size;
|
||||
|
||||
size = min(mtu, IP_MAX_MTU);
|
||||
while (1) {
|
||||
skb = alloc_skb(size + hlen + tlen,
|
||||
GFP_ATOMIC | __GFP_NOWARN);
|
||||
|
|
|
|||
Loading…
Reference in New Issue