git.baikalelectronics.ru Git - kernel.git/commit

author	Stefano Brivio <sbrivio@redhat.com>
	Thu, 6 Dec 2018 18:30:37 +0000 (19:30 +0100)
committer	David S. Miller <davem@davemloft.net>
	Sat, 8 Dec 2018 00:24:40 +0000 (16:24 -0800)
commit	534c7b70e0d5c7ebe29f05b25565d75b475fccb0
tree	9b93e099315cb036f69df1d45cac0e98de166976	tree \| snapshot
parent	a39a3280597de47ebb9fa815d63020eb9e961cc8	commit \| diff

neighbour: Avoid writing before skb->head in neigh_hh_output()

While skb_push() makes the kernel panic if the skb headroom is less than
the unaligned hardware header size, it will proceed normally in case we
copy more than that because of alignment, and we'll silently corrupt
adjacent slabs.

In the case fixed by the previous patch,
"ipv6: Check available headroom in ip6_xmit() even without options", we
end up in neigh_hh_output() with 14 bytes headroom, 14 bytes hardware
header and write 16 bytes, starting 2 bytes before the allocated buffer.

Always check we're not writing before skb->head and, if the headroom is
not enough, warn and drop the packet.

v2:
- instead of panicking with BUG_ON(), WARN_ON_ONCE() and drop the packet
   (Eric Dumazet)
- if we avoid the panic, though, we need to explicitly check the headroom
   before the memcpy(), otherwise we'll have corrupted slabs on a running
   kernel, after we warn
- use __skb_push() instead of skb_push(), as the headroom check is
   already implemented here explicitly (Eric Dumazet)

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>