[PATCH 3.2 56/59] ipv6: avoid overflow of offset in ip6_find_1stfragopt

From: Ben Hutchings
Date: Fri Aug 18 2017 - 09:16:30 EST


3.2.92-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Sabrina Dubroca <sd@xxxxxxxxxxxxxxx>

commit 6399f1fae4ec29fab5ec76070435555e256ca3a6 upstream.

In some cases, offset can overflow and can cause an infinite loop in
ip6_find_1stfragopt(). Make it unsigned int to prevent the overflow, and
cap it at IPV6_MAXPLEN, since packets larger than that should be invalid.

This problem has been here since before the beginning of git history.

Signed-off-by: Sabrina Dubroca <sd@xxxxxxxxxxxxxxx>
Acked-by: Hannes Frederic Sowa <hannes@xxxxxxxxxxxxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
[bwh: Backported to 3.2: adjust filename, context]
Signed-off-by: Ben Hutchings <ben@xxxxxxxxxxxxxxx>
---
net/ipv6/ip6_output.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)

--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -561,13 +561,14 @@ static void ip6_copy_metadata(struct sk_

int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
{
- u16 offset = sizeof(struct ipv6hdr);
+ unsigned int offset = sizeof(struct ipv6hdr);
unsigned int packet_len = skb->tail - skb->network_header;
int found_rhdr = 0;
*nexthdr = &ipv6_hdr(skb)->nexthdr;

while (offset <= packet_len) {
struct ipv6_opt_hdr *exthdr;
+ unsigned int len;

switch (**nexthdr) {

@@ -593,7 +594,10 @@ int ip6_find_1stfragopt(struct sk_buff *

exthdr = (struct ipv6_opt_hdr *)(skb_network_header(skb) +
offset);
- offset += ipv6_optlen(exthdr);
+ len = ipv6_optlen(exthdr);
+ if (len + offset >= IPV6_MAXPLEN)
+ return -EINVAL;
+ offset += len;
*nexthdr = &exthdr->nexthdr;
}