git.ipfire.org Git - thirdparty/kernel/stable.git/commit

vlan: consolidate VLAN parsing code and limit max parsing depth

[ Upstream commit 469aceddfa3ed16e17ee30533fae45e90f62efd8 ]

Toshiaki pointed out that we now have two very similar functions to extract
the L3 protocol number in the presence of VLAN tags. And Daniel pointed out
that the unbounded parsing loop makes it possible for maliciously crafted
packets to loop through potentially hundreds of tags.

Fix both of these issues by consolidating the two parsing functions and
limiting the VLAN tag parsing to a max depth of 8 tags. As part of this,
switch over __vlan_get_protocol() to use skb_header_pointer() instead of
pskb_may_pull(), to avoid the possible side effects of the latter and keep
the skb pointer 'const' through all the parsing functions.

v2:
- Use limit of 8 tags instead of 32 (matching XMIT_RECURSION_LIMIT)

Reported-by: Toshiaki Makita <toshiaki.makita1@gmail.com>
Reported-by: Daniel Borkmann <daniel@iogearbox.net>
Fixes: d7bf2ebebc2b ("sched: consistently handle layer3 header accesses in the presence of VLANs")
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>

author	Toke Høiland-Jørgensen <toke@redhat.com>
	Tue, 7 Jul 2020 11:03:25 +0000 (13:03 +0200)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Fri, 11 Dec 2020 12:39:03 +0000 (13:39 +0100)
commit	502bbb8480c38ae6caa4f890b98db3b2a4ae919a
tree	42c82cdcc6d1bdd40fd8305871010a619540e05d	tree \| snapshot
parent	272b1fcf1cab41fc46c5affb61cb74e4786bcec1	commit \| diff

include/linux/if_vlan.h		diff \| blob \| blame \| history
include/net/inet_ecn.h		diff \| blob \| blame \| history