diff options
| author | Willem de Bruijn <willemb@google.com> | 2020-05-25 15:07:40 -0400 | 
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2020-05-26 20:23:46 -0700 | 
| commit | 6dd912f82680761d8fb6b1bb274a69d4c7010988 (patch) | |
| tree | d512c61bcf35dfa3057289a23977bacc7e35fd9f /net/lapb/lapb_in.c | |
| parent | 0a82e230c68860b7286dad8644d9d9f7cfd755d2 (diff) | |
net: check untrusted gso_size at kernel entry
Syzkaller again found a path to a kernel crash through bad gso input:
a packet with gso size exceeding len.
These packets are dropped in tcp_gso_segment and udp[46]_ufo_fragment.
But they may affect gso size calculations earlier in the path.
Now that we have thlen as of commit 9274124f023b ("net: stricter
validation of untrusted gso packets"), check gso_size at entry too.
Fixes: bfd5f4a3d605 ("packet: Add GSO/csum offload support.")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/lapb/lapb_in.c')
0 files changed, 0 insertions, 0 deletions
