git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Eric Dumazet <edumazet@google.com>
	Tue, 24 Jan 2017 00:43:06 +0000 (16:43 -0800)
committer	Ben Hutchings <ben@decadent.org.uk>
	Thu, 16 Mar 2017 02:27:24 +0000 (02:27 +0000)
commit	d3d9b59ab32160e3cc4edcf7e5fa7cecb53a7d25
tree	e7b5afd55dd39f555ea85aa1582719bb6d35ca67	tree \| snapshot
parent	b6927bd60d353de044584ab9400aaccd8694fe1e	commit \| diff

ipv6: fix ip6_tnl_parse_tlv_enc_lim()

[ Upstream commit fbfa743a9d2a0ffa24251764f10afc13eb21e739 ]

This function suffers from multiple issues.

First one is that pskb_may_pull() may reallocate skb->head,
so the 'raw' pointer needs either to be reloaded or not used at all.

Second issue is that NEXTHDR_DEST handling does not validate
that the options are present in skb->data, so we might read
garbage or access non existent memory.

With help from Willem de Bruijn.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>