git.baikalelectronics.ru Git - kernel.git/commit

author	Toke Høiland-Jørgensen <toke@redhat.com>
	Tue, 7 Jul 2020 11:03:25 +0000 (13:03 +0200)
committer	David S. Miller <davem@davemloft.net>
	Tue, 7 Jul 2020 22:48:38 +0000 (15:48 -0700)
commit	6c287eeea72b0c0009637d07e5e818aefd587c18
tree	2d2cd732d419bf63db47faa8ff36265d1184ee1d	tree \| snapshot
parent	4d257ad9d0791df8bcca7e0726a7e693eb817070	commit \| diff

vlan: consolidate VLAN parsing code and limit max parsing depth

Toshiaki pointed out that we now have two very similar functions to extract
the L3 protocol number in the presence of VLAN tags. And Daniel pointed out
that the unbounded parsing loop makes it possible for maliciously crafted
packets to loop through potentially hundreds of tags.

Fix both of these issues by consolidating the two parsing functions and
limiting the VLAN tag parsing to a max depth of 8 tags. As part of this,
switch over __vlan_get_protocol() to use skb_header_pointer() instead of
pskb_may_pull(), to avoid the possible side effects of the latter and keep
the skb pointer 'const' through all the parsing functions.

v2:
- Use limit of 8 tags instead of 32 (matching XMIT_RECURSION_LIMIT)

Reported-by: Toshiaki Makita <toshiaki.makita1@gmail.com>
Reported-by: Daniel Borkmann <daniel@iogearbox.net>
Fixes: 497fdc5a2504 ("sched: consistently handle layer3 header accesses in the presence of VLANs")
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>