summaryrefslogtreecommitdiffstats
path: root/net/ethernet/eth.c
diff options
context:
space:
mode:
authorSabrina Dubroca <sd@queasysnail.net>2016-10-20 15:58:02 +0200
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2016-11-15 07:46:38 +0100
commit3cb00b90e8b1bd59382f5e1304dd751f9674f027 (patch)
tree7c89b34ace24aca852cec342946e22e5583badc2 /net/ethernet/eth.c
parent02558fa0e061c74c37bdb786694025f70582aaca (diff)
downloadlinux-stable-3cb00b90e8b1bd59382f5e1304dd751f9674f027.tar.gz
linux-stable-3cb00b90e8b1bd59382f5e1304dd751f9674f027.tar.bz2
linux-stable-3cb00b90e8b1bd59382f5e1304dd751f9674f027.zip
net: add recursion limit to GRO
[ Upstream commit fcd91dd449867c6bfe56a81cabba76b829fd05cd ] Currently, GRO can do unlimited recursion through the gro_receive handlers. This was fixed for tunneling protocols by limiting tunnel GRO to one level with encap_mark, but both VLAN and TEB still have this problem. Thus, the kernel is vulnerable to a stack overflow, if we receive a packet composed entirely of VLAN headers. This patch adds a recursion counter to the GRO layer to prevent stack overflow. When a gro_receive function hits the recursion limit, GRO is aborted for this skb and it is processed normally. This recursion counter is put in the GRO CB, but could be turned into a percpu counter if we run out of space in the CB. Thanks to Vladimír Beneš <vbenes@redhat.com> for the initial bug report. Fixes: CVE-2016-7039 Fixes: 9b174d88c257 ("net: Add Transparent Ethernet Bridging GRO support.") Fixes: 66e5133f19e9 ("vlan: Add GRO support for non hardware accelerated vlan") Signed-off-by: Sabrina Dubroca <sd@queasysnail.net> Reviewed-by: Jiri Benc <jbenc@redhat.com> Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Acked-by: Tom Herbert <tom@herbertland.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'net/ethernet/eth.c')
-rw-r--r--net/ethernet/eth.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/net/ethernet/eth.c b/net/ethernet/eth.c
index 9e63f252a89e..de85d4e1cf43 100644
--- a/net/ethernet/eth.c
+++ b/net/ethernet/eth.c
@@ -436,7 +436,7 @@ struct sk_buff **eth_gro_receive(struct sk_buff **head,
skb_gro_pull(skb, sizeof(*eh));
skb_gro_postpull_rcsum(skb, eh, sizeof(*eh));
- pp = ptype->callbacks.gro_receive(head, skb);
+ pp = call_gro_receive(ptype->callbacks.gro_receive, head, skb);
out_unlock:
rcu_read_unlock();