Commit 74b6bea3 authored by Zheng Li's avatar Zheng Li Committed by Stefan Bader

ipv6: Should use consistent conditional judgement for ip6 fragment between...

ipv6: Should use consistent conditional judgement for ip6 fragment between __ip6_append_data and ip6_finish_output

There is an inconsistent conditional judgement between __ip6_append_data
and ip6_finish_output functions, the variable length in __ip6_append_data
just include the length of application's payload and udp6 header, don't
include the length of ipv6 header, but in ip6_finish_output use
(skb->len > ip6_skb_dst_mtu(skb)) as judgement, and skb->len include the
length of ipv6 header.

That causes some particular application's udp6 payloads whose length are
between (MTU - IPv6 Header) and MTU were fragmented by ip6_fragment even
though the rst->dev support UFO feature.

Add the length of ipv6 header to length in __ip6_append_data to keep
consistent conditional judgement as ip6_finish_output for ip6 fragment.
Signed-off-by: default avatarZheng Li <james.z.li@ericsson.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>

CVE-2017-1000112

(cherry-picked from commit e4c5e13a)
Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
parent 0de6ee9d
......@@ -1361,7 +1361,7 @@ static int __ip6_append_data(struct sock *sk,
*/
cork->length += length;
if (((length > mtu) ||
if ((((length + fragheaderlen) > mtu) ||
(skb && skb_is_gso(skb))) &&
(sk->sk_protocol == IPPROTO_UDP) &&
(rt->dst.dev->features & NETIF_F_UFO) && !dst_xfrm(&rt->dst) &&
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment