• Willem de Bruijn's avatar
    ip: validate header length on virtual device xmit · cb9f1b78
    Willem de Bruijn authored
    KMSAN detected read beyond end of buffer in vti and sit devices when
    passing truncated packets with PF_PACKET. The issue affects additional
    ip tunnel devices.
    
    Extend commit 76c0ddd8 ("ip6_tunnel: be careful when accessing the
    inner header") and commit ccfec9e5 ("ip_tunnel: be careful when
    accessing the inner header").
    
    Move the check to a separate helper and call at the start of each
    ndo_start_xmit function in net/ipv4 and net/ipv6.
    
    Minor changes:
    - convert dev_kfree_skb to kfree_skb on error path,
      as dev_kfree_skb calls consume_skb which is not for error paths.
    - use pskb_network_may_pull even though that is pedantic here,
      as the same as pskb_may_pull for devices without llheaders.
    - do not cache ipv6 hdrs if used only once
      (unsafe across pskb_may_pull, was more relevant to earlier patch)
    Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
    Signed-off-by: default avatarWillem de Bruijn <willemb@google.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    cb9f1b78
ip_tunnels.h 13.1 KB