git.baikalelectronics.ru Git - kernel.git/commit

author	Bernie Harris <bernie.harris@alliedtelesis.co.nz>
	Sun, 21 Feb 2016 23:58:05 +0000 (12:58 +1300)
committer	David S. Miller <davem@davemloft.net>
	Wed, 24 Feb 2016 00:11:56 +0000 (19:11 -0500)
commit	e6eebf3aa5a5e84e59aa072f981a7dd53a6c73a9
tree	1fbf629e155a98bc41bbd7ea7797d62181639357	tree \| snapshot
parent	cb7eb148e93b62a2f077b4131c1c01d53a8ab654	commit \| diff

tunnel: Clear IPCB(skb)->opt before dst_link_failure called

IPCB may contain data from previous layers (in the observed case the
qdisc layer). In the observed scenario, the data was misinterpreted as
ip header options, which later caused the ihl to be set to an invalid
value (<5). This resulted in an infinite loop in the mips implementation
of ip_fast_csum.

This patch clears IPCB(skb)->opt before dst_link_failure can be called for
various types of tunnels. This change only applies to encapsulated ipv4
packets.

The code introduced in 6cb9fdd7 which clears all of IPCB has been removed
to be consistent with these changes, and instead the opt field is cleared
unconditionally in ip_tunnel_xmit. The change in ip_tunnel_xmit applies to
SIT, GRE, and IPIP tunnels.

The relevant vti, l2tp, and pptp functions already contain similar code for
clearing the IPCB.

Signed-off-by: Bernie Harris <bernie.harris@alliedtelesis.co.nz>
Signed-off-by: David S. Miller <davem@davemloft.net>

net/ipv4/ip_tunnel.c		diff \| blob \| history
net/ipv4/udp_tunnel.c		diff \| blob \| history
net/ipv6/ip6_gre.c		diff \| blob \| history
net/ipv6/ip6_tunnel.c		diff \| blob \| history