diff options
| author | Toke Høiland-Jørgensen <toke@redhat.com> | 2020-07-07 13:03:25 +0200 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2020-12-11 13:36:44 +0100 |
| commit | bb7b26278b384dad1423101dc69157b63968ed1c (patch) | |
| tree | 4745ddb2fb8dd6bc3e3ed3b67e16ccb3f58982cd /include/net/inet_ecn.h | |
| parent | 22e3c0842a8d37b76a35c0137629c04bed70e96e (diff) | |
vlan: consolidate VLAN parsing code and limit max parsing depth
[ Upstream commit 469aceddfa3ed16e17ee30533fae45e90f62efd8 ]
Toshiaki pointed out that we now have two very similar functions to extract
the L3 protocol number in the presence of VLAN tags. And Daniel pointed out
that the unbounded parsing loop makes it possible for maliciously crafted
packets to loop through potentially hundreds of tags.
Fix both of these issues by consolidating the two parsing functions and
limiting the VLAN tag parsing to a max depth of 8 tags. As part of this,
switch over __vlan_get_protocol() to use skb_header_pointer() instead of
pskb_may_pull(), to avoid the possible side effects of the latter and keep
the skb pointer 'const' through all the parsing functions.
v2:
- Use limit of 8 tags instead of 32 (matching XMIT_RECURSION_LIMIT)
Reported-by: Toshiaki Makita <toshiaki.makita1@gmail.com>
Reported-by: Daniel Borkmann <daniel@iogearbox.net>
Fixes: d7bf2ebebc2b ("sched: consistently handle layer3 header accesses in the presence of VLANs")
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'include/net/inet_ecn.h')
| -rw-r--r-- | include/net/inet_ecn.h | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/include/net/inet_ecn.h b/include/net/inet_ecn.h index dce2d586d9ce..245d999c0eac 100644 --- a/include/net/inet_ecn.h +++ b/include/net/inet_ecn.h @@ -3,6 +3,7 @@ #include <linux/ip.h> #include <linux/skbuff.h> +#include <linux/if_vlan.h> #include <net/inet_sock.h> #include <net/dsfield.h> |