Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752798AbdI0M6L (ORCPT ); Wed, 27 Sep 2017 08:58:11 -0400 Received: from mail-ua0-f177.google.com ([209.85.217.177]:51585 "EHLO mail-ua0-f177.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752131AbdI0M6J (ORCPT ); Wed, 27 Sep 2017 08:58:09 -0400 X-Google-Smtp-Source: AOwi7QBLcUEKho8HyXNMI7cch2mEo5waCqZoOmPj0TgnP2i6litBTwee5GUiSd5FZ3Z7Z8FGt6Bv/ky6VozxWmfDyW4= MIME-Version: 1.0 In-Reply-To: <1506516344.6617.39.camel@edumazet-glaptop3.roam.corp.google.com> References: <20170927121649.90557-1-glider@google.com> <1506516168.6617.38.camel@edumazet-glaptop3.roam.corp.google.com> <1506516344.6617.39.camel@edumazet-glaptop3.roam.corp.google.com> From: Alexander Potapenko Date: Wed, 27 Sep 2017 14:58:07 +0200 Message-ID: Subject: Re: [PATCH v2] tun: bail out from tun_get_user() if the skb is empty To: Eric Dumazet Cc: David Miller , Eric Dumazet , Dmitriy Vyukov , syzkaller , Networking , LKML Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by nfs id v8RCwGdl019745 Content-Length: 1312 Lines: 41 On Wed, Sep 27, 2017 at 2:45 PM, Eric Dumazet wrote: > On Wed, 2017-09-27 at 05:42 -0700, Eric Dumazet wrote: > >> Or something cleaner to avoid copy/paste and focus on proper >> skb->data[0] access and meaning. By the way I'm wondering if this is the only place where skb->data is being accessed. Isn't eth_type_trans() under IFF_TAP also touching it? Then we need to check the size earlier. >> Thanks. >> >> diff --git a/drivers/net/tun.c b/drivers/net/tun.c >> index 3c9985f299503ea65dad7eb3b47e2ab3bef87800..8ddb840687c1bdb24e4182612abc9e362624c3e9 100644 >> --- a/drivers/net/tun.c >> +++ b/drivers/net/tun.c >> @@ -1496,11 +1496,13 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile, >> switch (tun->flags & TUN_TYPE_MASK) { >> case IFF_TUN: >> if (tun->flags & IFF_NO_PI) { >> - switch (skb->data[0] & 0xf0) { >> - case 0x40: >> + u8 ip_proto = skb->len ? (skb->data[0] >> 4) : 0; > > And name this variable ip_version ;) > > > -- Alexander Potapenko Software Engineer Google Germany GmbH Erika-Mann-Straße, 33 80636 München Geschäftsführer: Paul Manicle, Halimah DeLaine Prado Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg