Re: [syzbot] [net?] WARNING in __ip6_append_data

From: David Howells
Date: Mon Sep 18 2023 - 11:18:07 EST

Next message: Jason Gunthorpe: "Re: [PATCH 02/26] vfio: Move KVM get/put helpers to colocate it with other KVM related code"
Previous message: Johannes Roith: "[PATCH v6] HID: mcp2200: added driver for GPIOs of MCP2200"
In reply to: David Howells: "Re: [syzbot] [net?] WARNING in __ip6_append_data"
Next in thread: Willem de Bruijn: "Re: [syzbot] [net?] WARNING in __ip6_append_data"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Willem de Bruijn <willemdebruijn.kernel@xxxxxxxxx> wrote:

>
> An ipv6 packet can carry 64KB of payload, so maxnonfragsize of 65535 + 40
> sounds correct. But payload length passed of 65536 is not (ignoring ipv6
> jumbograms). So that should probably trigger an EINVAL -- if that is indeed
> what the repro does.

The problem is that on entry to __ip6_append_data(), the length includes
transhdrlen. However, this is a problem if we already have something in the
packet. At that point, this fails:

if (WARN_ON_ONCE(copy > msg->msg_iter.count))
goto error;

because copy includes transhdrlen.

David

Next message: Jason Gunthorpe: "Re: [PATCH 02/26] vfio: Move KVM get/put helpers to colocate it with other KVM related code"
Previous message: Johannes Roith: "[PATCH v6] HID: mcp2200: added driver for GPIOs of MCP2200"
In reply to: David Howells: "Re: [syzbot] [net?] WARNING in __ip6_append_data"
Next in thread: Willem de Bruijn: "Re: [syzbot] [net?] WARNING in __ip6_append_data"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]