Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp15710imu; Thu, 8 Nov 2018 13:59:01 -0800 (PST) X-Google-Smtp-Source: AJdET5dBMWoYeXpuYcDV71ZenMHBq463NGQY1VKb3x21rrhVkAb5xMthifW4lPWpuEs6u4KmoxdY X-Received: by 2002:a63:b54f:: with SMTP id u15mr5188042pgo.420.1541714341557; Thu, 08 Nov 2018 13:59:01 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1541714341; cv=none; d=google.com; s=arc-20160816; b=s0RSle8wffwAxfkmCWF4ubuaCUdEdopTNAybAn/DJU6IOSDieKZhDvuMeEdv3+F8EC Zu4egAWtmUSCxfRbEHX/mCTDoJnNIqkG5dbMgGBIm3+2qVkIu3BofyajpLieEX6XARx/ vD18GyP+iLYXCXeDFWuDhzdDjDN2AiHuFG/TLhgdVsCS1UEcQjp/3xVn700aCt68peTX FaeMWljoX7kKF+JMSF6gMHjxzLHqN8e+MFmZzAdcWcMbevjJb3roU4tatQGJh7zADwvF azC8lqX8h22z0d43V62mJQUdLZruJfPYF3VJY0Ad1XAWGpmG1BJYue60ZVbDANjYZ1Wy A6xA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=65Y0fV8PXJNwmJsJY9oSeSDyPVWwNyboP2AiqdulWr8=; b=XTK/r8WK2Ansc3wvVgEvEcljmljnPd19cMTkrz3p2/03QSvtoeSa8F4Obi6/QdN7Jq QYGUMoe1BZqWfnJBGl5bXh7h3c/rnAmtvb7AUu5etBJ7Awcqf54/QBoX+8brEILVHG/a 0XpjjLv6mD45mHtMmuojWh1tq+h/08jX0fO/koZ6OlkZ0/Hra6uh4ypkuLAxc1jTZ628 k7TxkURbt9UkKy/2/1Z6Rv5jdg0ZoCw8xxaX3bDPl25Qxo7B93cVAlwd7+mrfQrR6J89 uQEMXCxBOjnUHESgT0BpwKSZfGKOfwFAIo4X2ZJAENWohx9W3tx+qORJBK6CRcOcUQdX chOw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=kQGMwm3+; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u9-v6si5418037pls.150.2018.11.08.13.58.45; Thu, 08 Nov 2018 13:59:01 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=kQGMwm3+; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729551AbeKIHfC (ORCPT + 99 others); Fri, 9 Nov 2018 02:35:02 -0500 Received: from mail.kernel.org ([198.145.29.99]:51790 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726926AbeKIHfA (ORCPT ); Fri, 9 Nov 2018 02:35:00 -0500 Received: from localhost (unknown [208.72.13.198]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id CEC9E20892; Thu, 8 Nov 2018 21:57:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1541714252; bh=A8xwQYfr8k2TzyEeNkaqj7fz1KzzsMflz8cwlGFd3/A=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=kQGMwm3+R0jFbEYiqPjJEy93qwyykUOiqf0veLXoQs8HGtBHyJq2dClg0kbmrn9AG zhIMBPJHBX4/udcguGIizbcgKcFggFo04BzX/JaDz+zO1u/zkCvRDN3MLDv4DiKaRC 0HMNQb2gJoitEpZAMy5BA5P/C7p4vDjXJvLr/i2k= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Eric Dumazet , Cong Wang , "David S. Miller" Subject: [PATCH 3.18 138/144] net: drop skb on failure in ip_check_defrag() Date: Thu, 8 Nov 2018 13:51:49 -0800 Message-Id: <20181108215108.159258650@linuxfoundation.org> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20181108215054.826084593@linuxfoundation.org> References: <20181108215054.826084593@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Cong Wang [ Upstream commit 7de414a9dd91426318df7b63da024b2b07e53df5 ] Most callers of pskb_trim_rcsum() simply drop the skb when it fails, however, ip_check_defrag() still continues to pass the skb up to stack. This is suspicious. In ip_check_defrag(), after we learn the skb is an IP fragment, passing the skb to callers makes no sense, because callers expect fragments are defrag'ed on success. So, dropping the skb when we can't defrag it is reasonable. Note, prior to commit 88078d98d1bb, this is not a big problem as checksum will be fixed up anyway. After it, the checksum is not correct on failure. Found this during code review. Fixes: 88078d98d1bb ("net: pskb_trim_rcsum() and CHECKSUM_COMPLETE are friends") Cc: Eric Dumazet Signed-off-by: Cong Wang Reviewed-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/ipv4/ip_fragment.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) --- a/net/ipv4/ip_fragment.c +++ b/net/ipv4/ip_fragment.c @@ -684,10 +684,14 @@ struct sk_buff *ip_check_defrag(struct s if (ip_is_fragment(&iph)) { skb = skb_share_check(skb, GFP_ATOMIC); if (skb) { - if (!pskb_may_pull(skb, netoff + iph.ihl * 4)) - return skb; - if (pskb_trim_rcsum(skb, netoff + len)) - return skb; + if (!pskb_may_pull(skb, netoff + iph.ihl * 4)) { + kfree_skb(skb); + return NULL; + } + if (pskb_trim_rcsum(skb, netoff + len)) { + kfree_skb(skb); + return NULL; + } memset(IPCB(skb), 0, sizeof(struct inet_skb_parm)); if (ip_defrag(skb, user)) return NULL;