mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
synced 2025-01-24 01:09:38 -05:00
xfrm: Reset secpath in xfrm failure
In esp4_gro_receive() and esp6_gro_receive(), secpath can be allocated
without adding xfrm state to xvec. Then, sp->xvec[sp->len - 1] would
fail and result in dereferencing invalid pointer in esp4_gso_segment()
and esp6_gso_segment(). Reset secpath if xfrm function returns error.
Fixes: 7785bba299
("esp: Add a software GRO codepath")
Reported-by: syzbot+b69368fd933c6c592f4c@syzkaller.appspotmail.com
Signed-off-by: Myungho Jung <mhjungk@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
This commit is contained in:
parent
b805d78d30
commit
6ed69184ed
2 changed files with 10 additions and 6 deletions
|
@ -52,13 +52,13 @@ static struct sk_buff *esp4_gro_receive(struct list_head *head,
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
if (sp->len == XFRM_MAX_DEPTH)
|
if (sp->len == XFRM_MAX_DEPTH)
|
||||||
goto out;
|
goto out_reset;
|
||||||
|
|
||||||
x = xfrm_state_lookup(dev_net(skb->dev), skb->mark,
|
x = xfrm_state_lookup(dev_net(skb->dev), skb->mark,
|
||||||
(xfrm_address_t *)&ip_hdr(skb)->daddr,
|
(xfrm_address_t *)&ip_hdr(skb)->daddr,
|
||||||
spi, IPPROTO_ESP, AF_INET);
|
spi, IPPROTO_ESP, AF_INET);
|
||||||
if (!x)
|
if (!x)
|
||||||
goto out;
|
goto out_reset;
|
||||||
|
|
||||||
sp->xvec[sp->len++] = x;
|
sp->xvec[sp->len++] = x;
|
||||||
sp->olen++;
|
sp->olen++;
|
||||||
|
@ -66,7 +66,7 @@ static struct sk_buff *esp4_gro_receive(struct list_head *head,
|
||||||
xo = xfrm_offload(skb);
|
xo = xfrm_offload(skb);
|
||||||
if (!xo) {
|
if (!xo) {
|
||||||
xfrm_state_put(x);
|
xfrm_state_put(x);
|
||||||
goto out;
|
goto out_reset;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -82,6 +82,8 @@ static struct sk_buff *esp4_gro_receive(struct list_head *head,
|
||||||
xfrm_input(skb, IPPROTO_ESP, spi, -2);
|
xfrm_input(skb, IPPROTO_ESP, spi, -2);
|
||||||
|
|
||||||
return ERR_PTR(-EINPROGRESS);
|
return ERR_PTR(-EINPROGRESS);
|
||||||
|
out_reset:
|
||||||
|
secpath_reset(skb);
|
||||||
out:
|
out:
|
||||||
skb_push(skb, offset);
|
skb_push(skb, offset);
|
||||||
NAPI_GRO_CB(skb)->same_flow = 0;
|
NAPI_GRO_CB(skb)->same_flow = 0;
|
||||||
|
|
|
@ -74,13 +74,13 @@ static struct sk_buff *esp6_gro_receive(struct list_head *head,
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
if (sp->len == XFRM_MAX_DEPTH)
|
if (sp->len == XFRM_MAX_DEPTH)
|
||||||
goto out;
|
goto out_reset;
|
||||||
|
|
||||||
x = xfrm_state_lookup(dev_net(skb->dev), skb->mark,
|
x = xfrm_state_lookup(dev_net(skb->dev), skb->mark,
|
||||||
(xfrm_address_t *)&ipv6_hdr(skb)->daddr,
|
(xfrm_address_t *)&ipv6_hdr(skb)->daddr,
|
||||||
spi, IPPROTO_ESP, AF_INET6);
|
spi, IPPROTO_ESP, AF_INET6);
|
||||||
if (!x)
|
if (!x)
|
||||||
goto out;
|
goto out_reset;
|
||||||
|
|
||||||
sp->xvec[sp->len++] = x;
|
sp->xvec[sp->len++] = x;
|
||||||
sp->olen++;
|
sp->olen++;
|
||||||
|
@ -88,7 +88,7 @@ static struct sk_buff *esp6_gro_receive(struct list_head *head,
|
||||||
xo = xfrm_offload(skb);
|
xo = xfrm_offload(skb);
|
||||||
if (!xo) {
|
if (!xo) {
|
||||||
xfrm_state_put(x);
|
xfrm_state_put(x);
|
||||||
goto out;
|
goto out_reset;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -109,6 +109,8 @@ static struct sk_buff *esp6_gro_receive(struct list_head *head,
|
||||||
xfrm_input(skb, IPPROTO_ESP, spi, -2);
|
xfrm_input(skb, IPPROTO_ESP, spi, -2);
|
||||||
|
|
||||||
return ERR_PTR(-EINPROGRESS);
|
return ERR_PTR(-EINPROGRESS);
|
||||||
|
out_reset:
|
||||||
|
secpath_reset(skb);
|
||||||
out:
|
out:
|
||||||
skb_push(skb, offset);
|
skb_push(skb, offset);
|
||||||
NAPI_GRO_CB(skb)->same_flow = 0;
|
NAPI_GRO_CB(skb)->same_flow = 0;
|
||||||
|
|
Loading…
Add table
Reference in a new issue