git.ipfire.org Git - thirdparty/kernel/stable.git/commit

esp: Fix possible buffer overflow in ESP transformation

commit ebe48d368e97d007bfeb76fcb065d6cfc4c96645 upstream.

The maximum message size that can be send is bigger than
the maximum site that skb_page_frag_refill can allocate.
So it is possible to write beyond the allocated buffer.

Fix this by doing a fallback to COW in that case.

v2:

Avoid get get_order() costs as suggested by Linus Torvalds.

Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")
Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible")
Reported-by: valis <sec@valis.email>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Tadeusz Struk <tadeusz.struk@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

author	Steffen Klassert <steffen.klassert@secunet.com>
	Mon, 7 Mar 2022 12:11:39 +0000 (13:11 +0100)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 23 Mar 2022 08:13:29 +0000 (09:13 +0100)
commit	9248694dac20eda06e22d8503364dc9d03df4e2f
tree	9e993c4302894e306f92efc5a7a65fc374a3c94a	tree \| snapshot
parent	96340cdd552677a6bc9bfc6e3a749ff0bd49d3f8	commit \| diff

include/net/esp.h		diff \| blob \| blame \| history
include/net/sock.h		diff \| blob \| blame \| history
net/ipv4/esp4.c		diff \| blob \| blame \| history
net/ipv6/esp6.c		diff \| blob \| blame \| history