On Mon, 20 Feb 2017 17:55:39 +0100
Paolo Abeni <pab...@redhat.com> wrote:
> The skbs processed by ip_cmsg_recv() are not guaranteed to
> be linear e.g. when sending UDP packets over loopback with
> MSGMORE.
> Using csum_partial() on [potentially] the whole skb len
> is dangerous; instead be on the safe side and use skb_checksum().
>
> Thanks to syzkaller team to detect the issue and provide the
> reproducer.
>
> Fixes: ad6f939ab193 ("ip: Add offset parameter to ip_cmsg_recv")
> Reported-by: Andrey Konovalov <andreyk...@google.com>
> Signed-off-by: Paolo Abeni <pab...@redhat.com>
> ---
> net/ipv4/ip_sockglue.c | 9 +++++----
> 1 file changed, 5 insertions(+), 4 deletions(-)
>
> diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
> index 9000117..d88bbe2 100644
> --- a/net/ipv4/ip_sockglue.c
> +++ b/net/ipv4/ip_sockglue.c
> @@ -112,14 +112,15 @@ static void ip_cmsg_recv_checksum(struct msghdr *msg,
> struct sk_buff *skb,
> int tlen, int offset)
> {
> __wsum csum = skb->csum;
> + int tend_off;
>
> if (skb->ip_summed != CHECKSUM_COMPLETE)
> return;
>
> - if (offset != 0)
> - csum = csum_sub(csum,
> - csum_partial(skb_transport_header(skb) + tlen,
> - offset, 0));
> + if (offset != 0) {
> + tend_off = skb_transport_offset(skb) + tlen;
> + csum = csum_sub(csum, skb_checksum(skb, tend_off, offset, 0));
> + }
If you need to add a local variable (tend_off) then please make its scope
as tight as possible. i.e.
if (offset != 0) {
int tend_off = skb_transport_offset(skb) + tlen;
