git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/commit

author	Willem de Bruijn <willemb@google.com>
	Mon, 7 Jan 2019 21:47:33 +0000 (16:47 -0500)
committer	Kleber Sacilotto de Souza <kleber.souza@canonical.com>
	Wed, 14 Aug 2019 09:18:49 +0000 (11:18 +0200)
commit	1348dd92de8dc240ccb1459dfc4a044b89f9cec1
tree	478c7d0262e418c807abb27a6a0ac2aadffc4e91	tree
parent	0ab51e0ef6efac76dc882b7d0fa99cf23f02afd9	commit \| diff

ip: on queued skb use skb_header_pointer instead of pskb_may_pull

BugLink: https://bugs.launchpad.net/bugs/1837477
[ Upstream commit 4a06fa67c4da20148803525151845276cdb995c1 ]

Commit 2efd4fca703a ("ip: in cmsg IP(V6)_ORIGDSTADDR call
pskb_may_pull") avoided a read beyond the end of the skb linear
segment by calling pskb_may_pull.

That function can trigger a BUG_ON in pskb_expand_head if the skb is
shared, which it is when when peeking. It can also return ENOMEM.

Avoid both by switching to safer skb_header_pointer.

Fixes: 2efd4fca703a ("ip: in cmsg IP(V6)_ORIGDSTADDR call pskb_may_pull")
Reported-by: syzbot <syzkaller@googlegroups.com>
Suggested-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>

net/ipv4/ip_sockglue.c		diff \| blob \| blame \| history
net/ipv6/datagram.c		diff \| blob \| blame \| history