Merge branch 'vlan-fix'

Toshiaki Makita says: ==================== Fix vlan tag handling for vlan packets without ethernet headers Eric Dumazet reported syzbot found a new bug which leads to underflow of size argument of memmove(), causing crash[1]. This can be triggered by tun devices. The underflow happened because skb_vlan_untag() did not expect vlan packets without ethernet headers, and tun can produce such packets. I also checked vlan_insert_inner_tag() and found a similar bug. This series fixes these problems. [1] https://marc.info/?l=linux-netdev&m=152221753920510&w=2 ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
author: David S. Miller <davem@davemloft.net> 2018-03-30 12:36:28 -0400
committer: David S. Miller <davem@davemloft.net> 2018-03-30 12:36:28 -0400
commit: 52a9692a43b8cbca179d2dd02e714df6f1197932 (patch)
tree: 67df9144cea6262fc7660a1c8cc0556df7bf0a8b /net
parent: a9645b273e22662ebea563eae334eb3e4fc6614e (diff)
parent: c769accdf3d8a103940bea2979b65556718567e9 (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 1e7acdc30732..857e4e6f751a 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -5028,8 +5028,10 @@ static struct sk_buff *skb_reorder_vlan_header(struct sk_buff *skb)
 	}
 
 	mac_len = skb->data - skb_mac_header(skb);
-	memmove(skb_mac_header(skb) + VLAN_HLEN, skb_mac_header(skb),
-		mac_len - VLAN_HLEN - ETH_TLEN);
+	if (likely(mac_len > VLAN_HLEN + ETH_TLEN)) {
+		memmove(skb_mac_header(skb) + VLAN_HLEN, skb_mac_header(skb),
+			mac_len - VLAN_HLEN - ETH_TLEN);
+	}
 	skb->mac_header += VLAN_HLEN;
 	return skb;
 }
author	David S. Miller <davem@davemloft.net>	2018-03-30 12:36:28 -0400
committer	David S. Miller <davem@davemloft.net>	2018-03-30 12:36:28 -0400
commit	52a9692a43b8cbca179d2dd02e714df6f1197932 (patch)
tree	67df9144cea6262fc7660a1c8cc0556df7bf0a8b /net
parent	a9645b273e22662ebea563eae334eb3e4fc6614e (diff)
parent	c769accdf3d8a103940bea2979b65556718567e9 (diff)