Received: by 2002:ac0:98c7:0:0:0:0:0 with SMTP id g7-v6csp2451809imd; Fri, 2 Nov 2018 11:37:53 -0700 (PDT) X-Google-Smtp-Source: AJdET5fKEdJfIqzk6fk1NgMOLnc4dc+uAHMz6uY/VYjPgUjhNLj2CwoDukvzgduTThmFj+3l66kM X-Received: by 2002:a62:8481:: with SMTP id k123-v6mr12929648pfd.172.1541183873454; Fri, 02 Nov 2018 11:37:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1541183873; cv=none; d=google.com; s=arc-20160816; b=fLTQL6wfFzY5fypKN+aoGKhPP6QYr7f5ytZ8wLTz7NjaZDpYBy4IQ7L67dU7eRAuz7 wHVlXM14ftBrvVegiQJMDiz8izuWxAItEWHLAx5IZ0Aa5BVPzwnbH5R6jZDmOVTbxHEu mag8hy+1Rc2vwmg9cNuJS3AAr6aM6lFd9OH1yxenqb8dhVB/blHjHXwiDLGHWOys24N7 lNuSutmN8bcu9bfAXBPdWPITFp/pWPey36hB+MfpJBQfdLcwzb0LHzjasQQzprdIbfTi b77dRz8AuJWcLwr5a4ihH0gNI97616MnP3sFhTNYKGGfeO4Yqj+Engl3AxIZMOgTSjTk VnQA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=sfo5qZNI34ShUnz0oCfYMBNSpUfwBwjMfvQVAe6kQt0=; b=beK9pAT/478C8whLP0ny48qIJ9TcreOF4CvdSriDx3RFkRyf7S3ClTlYHls11/BDFW sA0Qb6ojDzS5jMqb7dtvFw+y3efkfHb5RvHxWmZgIJKLqdIm/92JEt47g10dETQuPenJ kWBlyaIhwZTGMXtVk8oSlH4pKPJfzE6m73Z8J1do4p2E84N8uqiMaY6S2Jvt74Wp2Yfd 36nJ026OxXhxEo+hb0+9B9g7zoEjuRV6JER9W1WmLFKZH4Os1wuOtCTOm5VadNnw8rzz P8Yauayhl5oHQkIzFQ7CgsMQruQiVw6lj2LjnkIM+yuhFxZhx2J7pyoG+Ms+2f70eSTw greA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=lsG5rVXd; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 88-v6si14287398plb.57.2018.11.02.11.37.39; Fri, 02 Nov 2018 11:37:53 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=lsG5rVXd; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728453AbeKCDpF (ORCPT + 99 others); Fri, 2 Nov 2018 23:45:05 -0400 Received: from mail.kernel.org ([198.145.29.99]:38884 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727629AbeKCDpF (ORCPT ); Fri, 2 Nov 2018 23:45:05 -0400 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 2B5812081B; Fri, 2 Nov 2018 18:36:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1541183814; bh=Ga48VEMmRtscHiKloF6krS81njD4ZV4uFNrWMDl7V2o=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=lsG5rVXdc0c8nIEOfAlDZecgwC8i0rnFPsyfpOCs5m+AYWQql7ErzuW8g9zRJD1bL 8XDZymg6VDIpckGxc41mTXpY3QPrkeaKouP7YYUpPpQdhGFxQM/rsBTnxmBvq70n5p kbeTu8N6Zzod5WligwQ6kvUnmPgiKED4x/AJpK+Y= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Eric Dumazet , Cong Wang , "David S. Miller" Subject: [PATCH 4.19 16/24] net: drop skb on failure in ip_check_defrag() Date: Fri, 2 Nov 2018 19:34:49 +0100 Message-Id: <20181102182842.282025261@linuxfoundation.org> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20181102182839.725385066@linuxfoundation.org> References: <20181102182839.725385066@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.19-stable review patch. If anyone has any objections, please let me know. ------------------ From: Cong Wang [ Upstream commit 7de414a9dd91426318df7b63da024b2b07e53df5 ] Most callers of pskb_trim_rcsum() simply drop the skb when it fails, however, ip_check_defrag() still continues to pass the skb up to stack. This is suspicious. In ip_check_defrag(), after we learn the skb is an IP fragment, passing the skb to callers makes no sense, because callers expect fragments are defrag'ed on success. So, dropping the skb when we can't defrag it is reasonable. Note, prior to commit 88078d98d1bb, this is not a big problem as checksum will be fixed up anyway. After it, the checksum is not correct on failure. Found this during code review. Fixes: 88078d98d1bb ("net: pskb_trim_rcsum() and CHECKSUM_COMPLETE are friends") Cc: Eric Dumazet Signed-off-by: Cong Wang Reviewed-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/ipv4/ip_fragment.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) --- a/net/ipv4/ip_fragment.c +++ b/net/ipv4/ip_fragment.c @@ -720,10 +720,14 @@ struct sk_buff *ip_check_defrag(struct n if (ip_is_fragment(&iph)) { skb = skb_share_check(skb, GFP_ATOMIC); if (skb) { - if (!pskb_may_pull(skb, netoff + iph.ihl * 4)) - return skb; - if (pskb_trim_rcsum(skb, netoff + len)) - return skb; + if (!pskb_may_pull(skb, netoff + iph.ihl * 4)) { + kfree_skb(skb); + return NULL; + } + if (pskb_trim_rcsum(skb, netoff + len)) { + kfree_skb(skb); + return NULL; + } memset(IPCB(skb), 0, sizeof(struct inet_skb_parm)); if (ip_defrag(net, skb, user)) return NULL;