• Eric Dumazet's avatar
    net: qdisc_pkt_len_init() should be more robust · 7c68d1a6
    Eric Dumazet authored
    Without proper validation of DODGY packets, we might very well
    feed qdisc_pkt_len_init() with invalid GSO packets.
    
    tcp_hdrlen() might access out-of-bound data, so let's use
    skb_header_pointer() and proper checks.
    
    Whole story is described in commit d0c081b4 ("flow_dissector:
    properly cap thoff field")
    
    We have the goal of validating DODGY packets earlier in the stack,
    so we might very well revert this fix in the future.
    Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
    Cc: Willem de Bruijn <willemb@google.com>
    Cc: Jason Wang <jasowang@redhat.com>
    Reported-by: syzbot+9da69ebac7dddd804552@syzkaller.appspotmail.com
    Acked-by: default avatarJason Wang <jasowang@redhat.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    7c68d1a6
dev.c 221 KB