Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751102AbdGaUOA (ORCPT ); Mon, 31 Jul 2017 16:14:00 -0400 Received: from mail-oi0-f54.google.com ([209.85.218.54]:33676 "EHLO mail-oi0-f54.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751017AbdGaUN6 (ORCPT ); Mon, 31 Jul 2017 16:13:58 -0400 MIME-Version: 1.0 In-Reply-To: <1501471381-12808-1-git-send-email-yujuan.qi@mediatek.com> References: <1501471381-12808-1-git-send-email-yujuan.qi@mediatek.com> From: Paul Moore Date: Mon, 31 Jul 2017 16:13:57 -0400 Message-ID: Subject: Re: [PATCH] Cipso: cipso_v4_optptr enter infinite loop To: Yujuan Qi Cc: "David S. Miller" , Casey Schaufler , netdev@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-kernel@vger.kernel.org, Ryder Lee Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1504 Lines: 44 On Sun, Jul 30, 2017 at 11:23 PM, Yujuan Qi wrote: > From: "yujuan.qi" > > in for(),if((optlen > 0) && (optptr[1] == 0)), enter infinite loop. > > Test: receive a packet which the ip length > 20 and the first byte of ip option is 0, produce this issue > > Signed-off-by: yujuan.qi > --- > net/ipv4/cipso_ipv4.c | 12 ++++++++++-- > 1 file changed, 10 insertions(+), 2 deletions(-) Considering I gave you the code below I should probably ack it, right? ;) Acked-by: Paul Moore > diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c > index ae20616..0d1e07d 100644 > --- a/net/ipv4/cipso_ipv4.c > +++ b/net/ipv4/cipso_ipv4.c > @@ -1523,9 +1523,17 @@ unsigned char *cipso_v4_optptr(const struct sk_buff *skb) > int taglen; > > for (optlen = iph->ihl*4 - sizeof(struct iphdr); optlen > 0; ) { > - if (optptr[0] == IPOPT_CIPSO) > + switch (optptr[0]) { > + case IPOPT_CIPSO: > return optptr; > - taglen = optptr[1]; > + case IPOPT_END: > + return NULL; > + case IPOPT_NOOP: > + taglen = 1; > + break; > + default: > + taglen = optptr[1]; > + } > optlen -= taglen; > optptr += taglen; > } -- paul moore security @ redhat