--- /dev/null
+From 40413955ee265a5e42f710940ec78f5450d49149 Mon Sep 17 00:00:00 2001
+From: "yujuan.qi" <yujuan.qi@mediatek.com>
+Date: Mon, 31 Jul 2017 11:23:01 +0800
+Subject: Cipso: cipso_v4_optptr enter infinite loop
+
+From: yujuan.qi <yujuan.qi@mediatek.com>
+
+commit 40413955ee265a5e42f710940ec78f5450d49149 upstream.
+
+in for(),if((optlen > 0) && (optptr[1] == 0)), enter infinite loop.
+
+Test: receive a packet which the ip length > 20 and the first byte of ip option is 0, produce this issue
+
+Signed-off-by: yujuan.qi <yujuan.qi@mediatek.com>
+Acked-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv4/cipso_ipv4.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/cipso_ipv4.c
++++ b/net/ipv4/cipso_ipv4.c
+@@ -1591,9 +1591,17 @@ unsigned char *cipso_v4_optptr(const str
+ int taglen;
+
+ for (optlen = iph->ihl*4 - sizeof(struct iphdr); optlen > 0; ) {
+- if (optptr[0] == IPOPT_CIPSO)
++ switch (optptr[0]) {
++ case IPOPT_CIPSO:
+ return optptr;
+- taglen = optptr[1];
++ case IPOPT_END:
++ return NULL;
++ case IPOPT_NOOP:
++ taglen = 1;
++ break;
++ default:
++ taglen = optptr[1];
++ }
+ optlen -= taglen;
+ optptr += taglen;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
