git.ipfire.org Git - thirdparty/kernel/stable.git/commit

esp: Fix possible buffer overflow in ESP transformation

commit ebe48d368e97d007bfeb76fcb065d6cfc4c96645 upstream.

The maximum message size that can be send is bigger than
the maximum site that skb_page_frag_refill can allocate.
So it is possible to write beyond the allocated buffer.

Fix this by doing a fallback to COW in that case.

v2:

Avoid get get_order() costs as suggested by Linus Torvalds.

Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")
Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible")
Reported-by: valis <sec@valis.email>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Vaibhav Rustagi <vaibhavrustagi@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

author	Steffen Klassert <steffen.klassert@secunet.com>
	Mon, 7 Mar 2022 12:11:39 +0000 (13:11 +0100)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Mon, 28 Mar 2022 06:41:42 +0000 (08:41 +0200)
commit	ce89087966651ad41e103770efc5ce2742046284
tree	4ac3171c99970f0d38d9db599531b7c27a418676	tree
parent	616e2dffaba372cf20b01172a73013ed28cbcc84	commit \| diff

include/net/esp.h		diff \| blob \| blame \| history
include/net/sock.h		diff \| blob \| blame \| history
net/core/sock.c		diff \| blob \| blame \| history
net/ipv4/esp4.c		diff \| blob \| blame \| history
net/ipv6/esp6.c		diff \| blob \| blame \| history