David Ahern
2021-Mar-08 16:42 UTC
[PATCH v2 2/2] net: avoid infinite loop in mpls_gso_segment when mpls_hlen == 0
On 3/8/21 9:26 AM, Balazs Nemeth wrote:> On Mon, 2021-03-08 at 09:17 -0700, David Ahern wrote: >> On 3/8/21 9:07 AM, Willem de Bruijn wrote: >>>> diff --git a/net/mpls/mpls_gso.c b/net/mpls/mpls_gso.c >>>> index b1690149b6fa..cc1b6457fc93 100644 >>>> --- a/net/mpls/mpls_gso.c >>>> +++ b/net/mpls/mpls_gso.c >>>> @@ -27,7 +27,7 @@ static struct sk_buff *mpls_gso_segment(struct >>>> sk_buff *skb, >>>> >>>> ??????? skb_reset_network_header(skb); >>>> ??????? mpls_hlen = skb_inner_network_header(skb) - >>>> skb_network_header(skb); >>>> -?????? if (unlikely(!pskb_may_pull(skb, mpls_hlen))) >>>> +?????? if (unlikely(!mpls_hlen || !pskb_may_pull(skb, >>>> mpls_hlen))) >>>> ??????????????? goto out; >>> >>> Good cathc. Besides length zero, this can be more strict: a label >>> is >>> 4B, so mpls_hlen needs to be >= 4B. >>> >>> Perhaps even aligned to 4B, too, but not if there may be other >>> encap on top. >>> >>> Unfortunately there is no struct or type definition that we can use >>> a >>> sizeof instead of open coding the raw constant. >>> >> >> MPLS_HLEN can be used here. >> > > What about sizeof(struct mpls_label), like in net/ipv4/tunnel4.c? >I was thinking MPLS_HLEN because of its consistent use with skb manipulations. net/mpls code uses mpls_shim_hdr over mpls_label. Looks like the MPLS code could use some cleanups to make this consistent.
Willem de Bruijn
2021-Mar-08 18:11 UTC
[PATCH v2 2/2] net: avoid infinite loop in mpls_gso_segment when mpls_hlen == 0
On Mon, Mar 8, 2021 at 11:43 AM David Ahern <dsahern at gmail.com> wrote:> > On 3/8/21 9:26 AM, Balazs Nemeth wrote: > > On Mon, 2021-03-08 at 09:17 -0700, David Ahern wrote: > >> On 3/8/21 9:07 AM, Willem de Bruijn wrote: > >>>> diff --git a/net/mpls/mpls_gso.c b/net/mpls/mpls_gso.c > >>>> index b1690149b6fa..cc1b6457fc93 100644 > >>>> --- a/net/mpls/mpls_gso.c > >>>> +++ b/net/mpls/mpls_gso.c > >>>> @@ -27,7 +27,7 @@ static struct sk_buff *mpls_gso_segment(struct > >>>> sk_buff *skb, > >>>> > >>>> skb_reset_network_header(skb); > >>>> mpls_hlen = skb_inner_network_header(skb) - > >>>> skb_network_header(skb); > >>>> - if (unlikely(!pskb_may_pull(skb, mpls_hlen))) > >>>> + if (unlikely(!mpls_hlen || !pskb_may_pull(skb, > >>>> mpls_hlen))) > >>>> goto out; > >>> > >>> Good cathc. Besides length zero, this can be more strict: a label > >>> is > >>> 4B, so mpls_hlen needs to be >= 4B. > >>> > >>> Perhaps even aligned to 4B, too, but not if there may be other > >>> encap on top.On second thought, since mpls_gso_segment pulls all these headers, it is correct to require it to be a multiple of MPLS_HLEN.