git.baikalelectronics.ru Git - kernel.git/commit

author	Sabrina Dubroca <sd@queasysnail.net>
	Wed, 13 Apr 2022 08:10:50 +0000 (10:10 +0200)
committer	Steffen Klassert <steffen.klassert@secunet.com>
	Wed, 13 Apr 2022 08:16:11 +0000 (10:16 +0200)
commit	e35ed3131fb90a10ea0f17ec3081427c1eea1eab
tree	cffe80b54f0a32dad75e14c66b981b482d1027a2	tree \| snapshot
parent	a31e2e12d99e64af4113cd8ec8ec7e08b88366ae	commit \| diff

esp: limit skb_page_frag_refill use to a single page

Commit d0656f88c0cf ("esp: Fix possible buffer overflow in ESP
transformation") tried to fix skb_page_frag_refill usage in ESP by
capping allocsize to 32k, but that doesn't completely solve the issue,
as skb_page_frag_refill may return a single page. If that happens, we
will write out of bounds, despite the check introduced in the previous
patch.

This patch forces COW in cases where we would end up calling
skb_page_frag_refill with a size larger than a page (first in
esp_output_head with tailen, then in esp_output_tail with
skb->data_len).

Fixes: 1f6f9496b0f0 ("esp4: Avoid skb_cow_data whenever possible")
Fixes: 73a7b070a864 ("esp6: Avoid skb_cow_data whenever possible")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

include/net/esp.h		diff \| blob \| history
net/ipv4/esp4.c		diff \| blob \| history
net/ipv6/esp6.c		diff \| blob \| history