summaryrefslogtreecommitdiffstats
path: root/net/dccp/ipv6.c
diff options
context:
space:
mode:
authorWillem de Bruijn <willemb@google.com>2016-07-12 18:18:57 -0400
committerDavid S. Miller <davem@davemloft.net>2016-07-13 11:53:41 -0700
commit4f0c40d94461cfd23893a17335b2ab78ecb333c8 (patch)
treebb43f8374b6e157c5a412b30d2e528a808939067 /net/dccp/ipv6.c
parentf4979fcea7fd36d8e2f556abef86f80e0d5af1ba (diff)
downloadlinux-4f0c40d94461cfd23893a17335b2ab78ecb333c8.tar.gz
linux-4f0c40d94461cfd23893a17335b2ab78ecb333c8.tar.bz2
linux-4f0c40d94461cfd23893a17335b2ab78ecb333c8.zip
dccp: limit sk_filter trim to payload
Dccp verifies packet integrity, including length, at initial rcv in dccp_invalid_packet, later pulls headers in dccp_enqueue_skb. A call to sk_filter in-between can cause __skb_pull to wrap skb->len. skb_copy_datagram_msg interprets this as a negative value, so (correctly) fails with EFAULT. The negative length is reported in ioctl SIOCINQ or possibly in a DCCP_WARN in dccp_close. Introduce an sk_receive_skb variant that caps how small a filter program can trim packets, and call this in dccp with the header length. Excessively trimmed packets are now processed normally and queued for reception as 0B payloads. Fixes: 7c657876b63c ("[DCCP]: Initial implementation") Signed-off-by: Willem de Bruijn <willemb@google.com> Acked-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/dccp/ipv6.c')
-rw-r--r--net/dccp/ipv6.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
index d176f4e66369..3ff137d9471d 100644
--- a/net/dccp/ipv6.c
+++ b/net/dccp/ipv6.c
@@ -732,7 +732,7 @@ lookup:
if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb))
goto discard_and_relse;
- return sk_receive_skb(sk, skb, 1) ? -1 : 0;
+ return __sk_receive_skb(sk, skb, 1, dh->dccph_doff * 4) ? -1 : 0;
no_dccp_socket:
if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb))