Commit 0ca67031 authored by zheng li's avatar zheng li Committed by Stefan Bader

ipv4: Should use consistent conditional judgement for ip fragment in...

ipv4: Should use consistent conditional judgement for ip fragment in __ip_append_data and ip_finish_output

There is an inconsistent conditional judgement in __ip_append_data and
ip_finish_output functions, the variable length in __ip_append_data just
include the length of application's payload and udp header, don't include
the length of ip header, but in ip_finish_output use
(skb->len > ip_skb_dst_mtu(skb)) as judgement, and skb->len include the
length of ip header.

That causes some particular application's udp payload whose length is
between (MTU - IP Header) and MTU were fragmented by ip_fragment even
though the rst->dev support UFO feature.

Add the length of ip header to length in __ip_append_data to keep
consistent conditional judgement as ip_finish_output for ip fragment.
Signed-off-by: default avatarZheng Li <james.z.li@ericsson.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>

CVE-2017-1000112

(cherry-picked from commit 0a28cfd5)
Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
parent ccf7bb73
......@@ -922,7 +922,7 @@ static int __ip_append_data(struct sock *sk,
csummode = CHECKSUM_PARTIAL;
cork->length += length;
if (((length > mtu) || (skb && skb_is_gso(skb))) &&
if ((((length + fragheaderlen) > mtu) || (skb && skb_is_gso(skb))) &&
(sk->sk_protocol == IPPROTO_UDP) &&
(rt->dst.dev->features & NETIF_F_UFO) && !rt->dst.header_len &&
(sk->sk_type == SOCK_DGRAM) && !sk->sk_no_check_tx) {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment