git.ipfire.org Git - thirdparty/kernel/stable.git/commit

esp: Fix possible buffer overflow in ESP transformation

commit ebe48d368e97d007bfeb76fcb065d6cfc4c96645 upstream.

The maximum message size that can be send is bigger than
the maximum site that skb_page_frag_refill can allocate.
So it is possible to write beyond the allocated buffer.

Fix this by doing a fallback to COW in that case.

v2:

Avoid get get_order() costs as suggested by Linus Torvalds.

Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")
Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible")
Reported-by: valis <sec@valis.email>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Vaibhav Rustagi <vaibhavrustagi@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

author	Steffen Klassert <steffen.klassert@secunet.com>
	Mon, 7 Mar 2022 12:11:39 +0000 (13:11 +0100)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Mon, 28 Mar 2022 06:22:26 +0000 (08:22 +0200)
commit	2c8abafd6c72ef04bc972f40332c76c1dd04446d
tree	e00c16d2e92c26d3a16c8d65334cbbaac2c6c9bb	tree
parent	5149b895206f810e3b616896c1ee99d7a2d005c5	commit \| diff

include/net/esp.h		diff \| blob \| blame \| history
include/net/sock.h		diff \| blob \| blame \| history
net/core/sock.c		diff \| blob \| blame \| history
net/ipv4/esp4.c		diff \| blob \| blame \| history
net/ipv6/esp6.c		diff \| blob \| blame \| history