xfrm: iptfs: validate inner IPv4 header length in IPTFS payload

Add validation of the inner IPv4 packet tot_len and ihl fields parsed
from decrypted IPTFS payloads in __input_process_payload(). A crafted
ESP packet containing an inner IPv4 header with tot_len=0 causes an
infinite loop: iplen=0 leads to capturelen=min(0, remaining)=0, so the
data offset never advances and the while(data < tail) loop never
terminates, spinning forever in softirq context.

Reject inner IPv4 packets where tot_len < ihl*4 or ihl*4 < sizeof(struct
iphdr), which catches both the tot_len=0 case and malformed ihl values.
The normal IP stack performs this validation in ip_rcv_core(), but IPTFS
extracts and processes inner packets before they reach that layer.

Reported-by: Roshan Kumar <roshaen09@gmail.com>
Fixes: 6c82d2433671 ("xfrm: iptfs: add basic receive packet (tunnel egress) handling")
Cc: stable@vger.kernel.org
Signed-off-by: Roshan Kumar <roshaen09@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

diff --git a/net/xfrm/xfrm_iptfs.c b/net/xfrm/xfrm_iptfs.c
index 3b6d7284fc70a39370d2ea2398bd66ed42b5696f..0747d1cfa33380818719ca530681b1743eedad12 100644 (file)
--- a/net/xfrm/xfrm_iptfs.c
+++ b/net/xfrm/xfrm_iptfs.c
@@ -991,6 +991,11 @@ static bool __input_process_payload(struct xfrm_state *x, u32 data,
 
                        iplen = be16_to_cpu(iph->tot_len);
                        iphlen = iph->ihl << 2;
+                       if (iplen < iphlen || iphlen < sizeof(*iph)) {
+                               XFRM_INC_STATS(net,
+                                              LINUX_MIB_XFRMINHDRERROR);
+                               goto done;
+                       }
                        protocol = cpu_to_be16(ETH_P_IP);
                        XFRM_MODE_SKB_CB(skbseq->root_skb)->tos = iph->tos;
                } else if (iph->version == 0x6) {