Commit 05fb3dbd authored by Robin Murphy's avatar Robin Murphy Committed by Will Deacon

arm64: csum: Fix handling of bad packets

Although iph is expected to point to at least 20 bytes of valid memory,
ihl may be bogus, for example on reception of a corrupt packet. If it
happens to be less than 5, we really don't want to run away and
dereference 16GB worth of memory until it wraps back to exactly zero...

Fixes: 0e455d8e ("arm64: Implement optimised IP checksum helpers")
Reported-by: default avatarguodeqing <geffrey.guo@huawei.com>
Signed-off-by: default avatarRobin Murphy <robin.murphy@arm.com>
Signed-off-by: default avatarWill Deacon <will@kernel.org>
parent 835d1c3a
...@@ -24,16 +24,17 @@ static inline __sum16 ip_fast_csum(const void *iph, unsigned int ihl) ...@@ -24,16 +24,17 @@ static inline __sum16 ip_fast_csum(const void *iph, unsigned int ihl)
{ {
__uint128_t tmp; __uint128_t tmp;
u64 sum; u64 sum;
int n = ihl; /* we want it signed */
tmp = *(const __uint128_t *)iph; tmp = *(const __uint128_t *)iph;
iph += 16; iph += 16;
ihl -= 4; n -= 4;
tmp += ((tmp >> 64) | (tmp << 64)); tmp += ((tmp >> 64) | (tmp << 64));
sum = tmp >> 64; sum = tmp >> 64;
do { do {
sum += *(const u32 *)iph; sum += *(const u32 *)iph;
iph += 4; iph += 4;
} while (--ihl); } while (--n > 0);
sum += ((sum >> 32) | (sum << 32)); sum += ((sum >> 32) | (sum << 32));
return csum_fold((__force u32)(sum >> 32)); return csum_fold((__force u32)(sum >> 32));
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment