From: Eric Dumazet <eric.duma...@gmail.com> Date: Wed, 17 Jan 2018 14:21:13 -0800
> From: Eric Dumazet <eduma...@google.com> > > syzbot reported yet another crash [1] that is caused by > insufficient validation of DODGY packets. > > Two bugs are happening here to trigger the crash. > > 1) Flow dissection leaves with incorrect thoff field. > > 2) skb_probe_transport_header() sets transport header to this invalid > thoff, even if pointing after skb valid data. > > 3) qdisc_pkt_len_init() reads out-of-bound data because it > trusts tcp_hdrlen(skb) > > Possible fixes : > > - Full flow dissector validation before injecting bad DODGY packets in > the stack. > This approach was attempted here : https://patchwork.ozlabs.org/patch/ > 861874/ > > - Have more robust functions in the core. > This might be needed anyway for stable versions. > > This patch fixes the flow dissection issue. > > [1] ... > Fixes: 34fad54c2537 ("net: __skb_flow_dissect() must cap its return value") > Fixes: a6e544b0a88b ("flow_dissector: Jump to exit code in > __skb_flow_dissect") > Signed-off-by: Eric Dumazet <eduma...@google.com> > Cc: Willem de Bruijn <will...@google.com> > Reported-by: syzbot <syzkal...@googlegroups.com> Applied and queued up for -stable, thanks Eric.
