Commit f1fb08f6 authored by Vincent Bernat's avatar Vincent Bernat Committed by David S. Miller

vxlan: fix ND proxy when skb doesn't have transport header offset

When an incoming frame is tagged or when GRO is disabled, the skb
handled to vxlan_xmit() doesn't contain a valid transport header
offset. This makes ND proxying fail.

We combine two changes: replace use of skb_transport_offset() and ensure
the necessary amount of skb is linear just before using it:

 - In vxlan_xmit(), when determining if we have an ICMPv6 neighbor
   discovery packet, just check if it is an ICMPv6 packet and rely on
   neigh_reduce() to do more checks if this is the case. The use of
   pskb_may_pull() is replaced by skb_header_pointer() for just the IPv6
   header.

 - In neigh_reduce(), add pskb_may_pull() for IPv6 header and neighbor
   discovery message since this was removed from vxlan_xmit(). Replace
   skb_transport_header() with ipv6_hdr() + 1.

 - In vxlan_na_create(), replace first skb_transport_offset() with
   ipv6_hdr() + 1 and second with skb_network_offset() + sizeof(struct
   ipv6hdr). Additionally, ensure we pskb_may_pull() the whole skb as we
   need it to iterate over the options.
Signed-off-by: default avatarVincent Bernat <vincent@bernat.im>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent d229d48d
...@@ -1515,7 +1515,7 @@ static struct sk_buff *vxlan_na_create(struct sk_buff *request, ...@@ -1515,7 +1515,7 @@ static struct sk_buff *vxlan_na_create(struct sk_buff *request,
int ns_olen; int ns_olen;
int i, len; int i, len;
if (dev == NULL) if (dev == NULL || !pskb_may_pull(request, request->len))
return NULL; return NULL;
len = LL_RESERVED_SPACE(dev) + sizeof(struct ipv6hdr) + len = LL_RESERVED_SPACE(dev) + sizeof(struct ipv6hdr) +
...@@ -1530,10 +1530,11 @@ static struct sk_buff *vxlan_na_create(struct sk_buff *request, ...@@ -1530,10 +1530,11 @@ static struct sk_buff *vxlan_na_create(struct sk_buff *request,
skb_push(reply, sizeof(struct ethhdr)); skb_push(reply, sizeof(struct ethhdr));
skb_reset_mac_header(reply); skb_reset_mac_header(reply);
ns = (struct nd_msg *)skb_transport_header(request); ns = (struct nd_msg *)(ipv6_hdr(request) + 1);
daddr = eth_hdr(request)->h_source; daddr = eth_hdr(request)->h_source;
ns_olen = request->len - skb_transport_offset(request) - sizeof(*ns); ns_olen = request->len - skb_network_offset(request) -
sizeof(struct ipv6hdr) - sizeof(*ns);
for (i = 0; i < ns_olen-1; i += (ns->opt[i+1]<<3)) { for (i = 0; i < ns_olen-1; i += (ns->opt[i+1]<<3)) {
if (ns->opt[i] == ND_OPT_SOURCE_LL_ADDR) { if (ns->opt[i] == ND_OPT_SOURCE_LL_ADDR) {
daddr = ns->opt + i + sizeof(struct nd_opt_hdr); daddr = ns->opt + i + sizeof(struct nd_opt_hdr);
...@@ -1604,10 +1605,13 @@ static int neigh_reduce(struct net_device *dev, struct sk_buff *skb, __be32 vni) ...@@ -1604,10 +1605,13 @@ static int neigh_reduce(struct net_device *dev, struct sk_buff *skb, __be32 vni)
if (!in6_dev) if (!in6_dev)
goto out; goto out;
if (!pskb_may_pull(skb, sizeof(struct ipv6hdr) + sizeof(struct nd_msg)))
goto out;
iphdr = ipv6_hdr(skb); iphdr = ipv6_hdr(skb);
daddr = &iphdr->daddr; daddr = &iphdr->daddr;
msg = (struct nd_msg *)skb_transport_header(skb); msg = (struct nd_msg *)(iphdr + 1);
if (msg->icmph.icmp6_code != 0 || if (msg->icmph.icmp6_code != 0 ||
msg->icmph.icmp6_type != NDISC_NEIGHBOUR_SOLICITATION) msg->icmph.icmp6_type != NDISC_NEIGHBOUR_SOLICITATION)
goto out; goto out;
...@@ -2242,15 +2246,12 @@ static netdev_tx_t vxlan_xmit(struct sk_buff *skb, struct net_device *dev) ...@@ -2242,15 +2246,12 @@ static netdev_tx_t vxlan_xmit(struct sk_buff *skb, struct net_device *dev)
if (ntohs(eth->h_proto) == ETH_P_ARP) if (ntohs(eth->h_proto) == ETH_P_ARP)
return arp_reduce(dev, skb, vni); return arp_reduce(dev, skb, vni);
#if IS_ENABLED(CONFIG_IPV6) #if IS_ENABLED(CONFIG_IPV6)
else if (ntohs(eth->h_proto) == ETH_P_IPV6 && else if (ntohs(eth->h_proto) == ETH_P_IPV6) {
pskb_may_pull(skb, sizeof(struct ipv6hdr) struct ipv6hdr *hdr, _hdr;
+ sizeof(struct nd_msg)) && if ((hdr = skb_header_pointer(skb,
ipv6_hdr(skb)->nexthdr == IPPROTO_ICMPV6) { skb_network_offset(skb),
struct nd_msg *msg; sizeof(_hdr), &_hdr)) &&
hdr->nexthdr == IPPROTO_ICMPV6)
msg = (struct nd_msg *)skb_transport_header(skb);
if (msg->icmph.icmp6_code == 0 &&
msg->icmph.icmp6_type == NDISC_NEIGHBOUR_SOLICITATION)
return neigh_reduce(dev, skb, vni); return neigh_reduce(dev, skb, vni);
} }
#endif #endif
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment