Re: [PATCH v2] net: ipv6: fix skb_over_panic in __ip6_append_data
From: Tadeusz Struk
Date: Thu Mar 10 2022 - 18:04:21 EST
On 3/10/22 14:43, Willem de Bruijn wrote:
On Thu, Mar 10, 2022 at 5:30 PM Jakub Kicinski <kuba@xxxxxxxxxx> wrote:
On Thu, 10 Mar 2022 14:13:28 -0800 Tadeusz Struk wrote:
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 4788f6b37053..6d45112322a0 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -1649,6 +1649,16 @@ static int __ip6_append_data(struct sock *sk,
skb->protocol = htons(ETH_P_IPV6);
skb->ip_summed = csummode;
skb->csum = 0;
+
+ /*
+ * Check if there is still room for payload
+ */
TBH I think the check is self-explanatory. Not worth a banner comment,
for sure.
+ if (fragheaderlen >= mtu) {
+ err = -EMSGSIZE;
+ kfree_skb(skb);
+ goto error;
+ }
Not sure if Willem prefers this placement, but seems like we can lift
this check out of the loop, as soon as fragheaderlen and mtu are known.
/* reserve for fragmentation and ipsec header */
skb_reserve(skb, hh_len + sizeof(struct frag_hdr) +
dst_exthdrlen);
Just updating this boundary check will do?
if (mtu < fragheaderlen ||
((mtu - fragheaderlen) & ~7) + fragheaderlen <
sizeof(struct frag_hdr))
goto emsgsize;
Yes, it will. v3 on its way.
--
Thanks,
Tadeusz