[3.8.y.z extended stable] Patch "net: flow_dissector: fail on evil iph->ihl" has been added to staging queue

Kamal Mostafa kamal at canonical.com
Fri Dec 6 23:08:00 UTC 2013 

This is a note to let you know that I have just added a patch titled

    net: flow_dissector: fail on evil iph->ihl

to the linux-3.8.y-queue branch of the 3.8.y.z extended stable tree 
which can be found at:

 http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.8.y-queue

This patch is scheduled to be released in version 3.8.13.14.

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.8.y.z tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Kamal

------

>From b3a905150a8a676a9aa1e62bf99943a4d84bd34c Mon Sep 17 00:00:00 2001
From: Jason Wang <jasowang at redhat.com>
Date: Fri, 1 Nov 2013 15:01:10 +0800
Subject: net: flow_dissector: fail on evil iph->ihl

[ Upstream commit 6f092343855a71e03b8d209815d8c45bf3a27fcd ]

We don't validate iph->ihl which may lead a dead loop if we meet a IPIP
skb whose iph->ihl is zero. Fix this by failing immediately when iph->ihl
is evil (less than 5).

This issue were introduced by commit ec5efe7946280d1e84603389a1030ccec0a767ae
(rps: support IPIP encapsulation).

Cc: Eric Dumazet <edumazet at google.com>
Cc: Petr Matousek <pmatouse at redhat.com>
Cc: Michael S. Tsirkin <mst at redhat.com>
Cc: Daniel Borkmann <dborkman at redhat.com>
Signed-off-by: Jason Wang <jasowang at redhat.com>
Acked-by: Eric Dumazet <edumazet at google.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
Signed-off-by: Kamal Mostafa <kamal at canonical.com>
---
 net/core/flow_dissector.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
index 744b3ad..e2df3a9 100644
--- a/net/core/flow_dissector.c
+++ b/net/core/flow_dissector.c
@@ -36,7 +36,7 @@ again:
 		struct iphdr _iph;
 ip:
 		iph = skb_header_pointer(skb, nhoff, sizeof(_iph), &_iph);
-		if (!iph)
+		if (!iph || iph->ihl < 5)
 			return false;

 		if (ip_is_fragment(iph))
--
1.8.3.2

More information about the kernel-team mailing list