On Mon, Dec 14, 2020 at 2:21 PM Vasily Averin <v...@virtuozzo.com> wrote:
>
> syzbot reproduces BUG_ON in skb_checksum_help():
> tun creates (bogus) skb with huge partial-checksummed area and
> small ip packet inside. Then ip_rcv trims the skb based on size
> of internal ip packet, after that csum offset points beyond of
> trimmed skb. Then checksum_tg() called via netfilter hook
> triggers BUG_ON:
>
> offset = skb_checksum_start_offset(skb);
> BUG_ON(offset >= skb_headlen(skb));
>
> To work around the problem this patch forces pskb_trim_rcsum_slow()
> to return -EINVAL in described scenario. It allows its callers to
> drop such kind of packets.
>
> Link:
> https://syzkaller.appspot.com/bug?id=b419a5ca95062664fe1a60b764621eb4526e2cd0
> Reported-by: syzbot+7010af67ced6105e5...@syzkaller.appspotmail.com
> Signed-off-by: Vasily Averin <v...@virtuozzo.com>
> ---
> v2: drop bogus packets instead change its CHECKSUM_PARTIAL to CHECKSUM_NONE
Thanks for revising.
As far as I can tell, this goes back to the original introduction of
that user interface to set checksum offload, so
Fixes: 296f96fcfc16 ("Net driver using virtio")
For next time, please also mark network fixes as [PATCH net]. With that
Acked-by: Willem de Bruijn <will...@google.com>
