git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Sabrina Dubroca <sd@queasysnail.net>
	Wed, 13 Apr 2022 08:10:50 +0000 (10:10 +0200)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Tue, 12 Jul 2022 14:27:27 +0000 (16:27 +0200)
commit	2c66b0c95bb0aa7652ba1eba293d0d5993b35a38
tree	794860f04ddef2d601d39d193a723499760df519	tree
parent	1048779a1d7dcf0b5c150188decafa21c19821e4	commit \| diff

esp: limit skb_page_frag_refill use to a single page

commit 5bd8baab087dff657e05387aee802e70304cc813 upstream.

Commit ebe48d368e97 ("esp: Fix possible buffer overflow in ESP
transformation") tried to fix skb_page_frag_refill usage in ESP by
capping allocsize to 32k, but that doesn't completely solve the issue,
as skb_page_frag_refill may return a single page. If that happens, we
will write out of bounds, despite the check introduced in the previous
patch.

This patch forces COW in cases where we would end up calling
skb_page_frag_refill with a size larger than a page (first in
esp_output_head with tailen, then in esp_output_tail with
skb->data_len).

Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")
Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

include/net/esp.h		diff \| blob \| blame \| history
net/ipv4/esp4.c		diff \| blob \| blame \| history
net/ipv6/esp6.c		diff \| blob \| blame \| history