Skip to content

Commit f76d54a

Browse files
davem330gregkh
davem330
authored and
gregkh
committed
ipv6: Check ip6_find_1stfragopt() return value properly.
[ Upstream commit 7dd7eb9513bd02184d45f000ab69d78cb1fa1531 ] Do not use unsigned variables to see if it returns a negative error or not. Fixes: 2423496af35d ("ipv6: Prevent overrun when parsing v6 header options") Reported-by: Julia Lawall <julia.lawall@lip6.fr> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
1 parent 017fabe commit f76d54a

3 files changed

Lines changed: 12 additions & 12 deletions

File tree

net/ipv6/ip6_offload.c

Lines changed: 4 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -62,7 +62,6 @@ static struct sk_buff *ipv6_gso_segment(struct sk_buff *skb,
6262
const struct net_offload *ops;
6363
int proto;
6464
struct frag_hdr *fptr;
65-
unsigned int unfrag_ip6hlen;
6665
u8 *prevhdr;
6766
int offset = 0;
6867
bool encap, udpfrag;
@@ -121,10 +120,10 @@ static struct sk_buff *ipv6_gso_segment(struct sk_buff *skb,
121120
skb->network_header = (u8 *)ipv6h - skb->head;
122121

123122
if (udpfrag) {
124-
unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr);
125-
if (unfrag_ip6hlen < 0)
126-
return ERR_PTR(unfrag_ip6hlen);
127-
fptr = (struct frag_hdr *)((u8 *)ipv6h + unfrag_ip6hlen);
123+
int err = ip6_find_1stfragopt(skb, &prevhdr);
124+
if (err < 0)
125+
return ERR_PTR(err);
126+
fptr = (struct frag_hdr *)((u8 *)ipv6h + err);
128127
fptr->frag_off = htons(offset);
129128
if (skb->next)
130129
fptr->frag_off |= htons(IP6_MF);

net/ipv6/ip6_output.c

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -571,11 +571,10 @@ int ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb,
571571
int ptr, offset = 0, err = 0;
572572
u8 *prevhdr, nexthdr = 0;
573573

574-
hlen = ip6_find_1stfragopt(skb, &prevhdr);
575-
if (hlen < 0) {
576-
err = hlen;
574+
err = ip6_find_1stfragopt(skb, &prevhdr);
575+
if (err < 0)
577576
goto fail;
578-
}
577+
hlen = err;
579578
nexthdr = *prevhdr;
580579

581580
mtu = ip6_skb_dst_mtu(skb);

net/ipv6/udp_offload.c

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,7 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb,
2929
u8 frag_hdr_sz = sizeof(struct frag_hdr);
3030
__wsum csum;
3131
int tnl_hlen;
32+
int err;
3233

3334
mss = skb_shinfo(skb)->gso_size;
3435
if (unlikely(skb->len <= mss))
@@ -97,9 +98,10 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb,
9798
/* Find the unfragmentable header and shift it left by frag_hdr_sz
9899
* bytes to insert fragment header.
99100
*/
100-
unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr);
101-
if (unfrag_ip6hlen < 0)
102-
return ERR_PTR(unfrag_ip6hlen);
101+
err = ip6_find_1stfragopt(skb, &prevhdr);
102+
if (err < 0)
103+
return ERR_PTR(err);
104+
unfrag_ip6hlen = err;
103105
nexthdr = *prevhdr;
104106
*prevhdr = NEXTHDR_FRAGMENT;
105107
unfrag_len = (skb_network_header(skb) - skb_mac_header(skb)) +

0 commit comments

Comments
 (0)