• Sabrina Dubroca's avatar
    esp: limit skb_page_frag_refill use to a single page · 5bd8baab
    Sabrina Dubroca authored
    Commit ebe48d36 ("esp: Fix possible buffer overflow in ESP
    transformation") tried to fix skb_page_frag_refill usage in ESP by
    capping allocsize to 32k, but that doesn't completely solve the issue,
    as skb_page_frag_refill may return a single page. If that happens, we
    will write out of bounds, despite the check introduced in the previous
    patch.
    
    This patch forces COW in cases where we would end up calling
    skb_page_frag_refill with a size larger than a page (first in
    esp_output_head with tailen, then in esp_output_tail with
    skb->data_len).
    
    Fixes: cac2661c ("esp4: Avoid skb_cow_data whenever possible")
    Fixes: 03e2a30f ("esp6: Avoid skb_cow_data whenever possible")
    Signed-off-by: default avatarSabrina Dubroca <sd@queasysnail.net>
    Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
    5bd8baab
esp4.c 27.6 KB