diff options
author | David S. Miller <davem@davemloft.net> | 2018-03-30 12:36:28 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2018-03-30 12:36:28 -0400 |
commit | 52a9692a43b8cbca179d2dd02e714df6f1197932 (patch) | |
tree | 67df9144cea6262fc7660a1c8cc0556df7bf0a8b /net | |
parent | a9645b273e22662ebea563eae334eb3e4fc6614e (diff) | |
parent | c769accdf3d8a103940bea2979b65556718567e9 (diff) |
Merge branch 'vlan-fix'
Toshiaki Makita says:
====================
Fix vlan tag handling for vlan packets without ethernet headers
Eric Dumazet reported syzbot found a new bug which leads to underflow of
size argument of memmove(), causing crash[1]. This can be triggered by tun
devices.
The underflow happened because skb_vlan_untag() did not expect vlan packets
without ethernet headers, and tun can produce such packets.
I also checked vlan_insert_inner_tag() and found a similar bug.
This series fixes these problems.
[1] https://marc.info/?l=linux-netdev&m=152221753920510&w=2
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r-- | net/core/skbuff.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/net/core/skbuff.c b/net/core/skbuff.c index 1e7acdc30732..857e4e6f751a 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -5028,8 +5028,10 @@ static struct sk_buff *skb_reorder_vlan_header(struct sk_buff *skb) } mac_len = skb->data - skb_mac_header(skb); - memmove(skb_mac_header(skb) + VLAN_HLEN, skb_mac_header(skb), - mac_len - VLAN_HLEN - ETH_TLEN); + if (likely(mac_len > VLAN_HLEN + ETH_TLEN)) { + memmove(skb_mac_header(skb) + VLAN_HLEN, skb_mac_header(skb), + mac_len - VLAN_HLEN - ETH_TLEN); + } skb->mac_header += VLAN_HLEN; return skb; } |