fou: Prevent unbounded recursion in GUE error handler also with UDP-Lite

In commit 6305f06f1bde ("fou: Prevent unbounded recursion in GUE error
handler"), I didn't take care of the case where UDP-Lite is encapsulated
into UDP or UDP-Lite with GUE. From a syzbot report about a possibly
similar issue with GUE on IPv6, I just realised the same thing might
happen with a UDP-Lite inner payload.

Also skip exception handling for inner UDP-Lite protocol.

Fixes: 6305f06f1bde ("fou: Prevent unbounded recursion in GUE error handler")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/ipv4/fou.c b/net/ipv4/fou.c
index 0c9f171fb085e15c50416b5969e68c98569faecd..632863541082230228da1e63927b9d5c72042350 100644 (file)
--- a/net/ipv4/fou.c
+++ b/net/ipv4/fou.c
@@ -1065,7 +1065,8 @@ static int gue_err(struct sk_buff *skb, u32 info)
         * recursion. Besides, this kind of encapsulation can't even be
         * configured currently. Discard this.
         */
-       if (guehdr->proto_ctype == IPPROTO_UDP)
+       if (guehdr->proto_ctype == IPPROTO_UDP ||
+           guehdr->proto_ctype == IPPROTO_UDPLITE)
                return -EOPNOTSUPP;
 
        skb_set_transport_header(skb, -(int)sizeof(struct icmphdr));