Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp3946975ybt; Sun, 5 Jul 2020 11:28:54 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwYNUTFfouzmjRm/BdyXkOA1JdZkpXeTc6Ly3PE/YZKwNqTkyZu/HIYAT3GWJxUPWd+UuY4 X-Received: by 2002:a17:906:38da:: with SMTP id r26mr39331826ejd.120.1593973734472; Sun, 05 Jul 2020 11:28:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1593973734; cv=none; d=google.com; s=arc-20160816; b=dcI+2LSZok179OUewlZpVBVR5UVlfwfqTVwsFO1WYsM64Sh8I2Px6VR+MEtSwqX/A9 SMVQB7USp9ezjbcEAS305SJ3aTKEYsMaPKoT6d2F2lFnjy198pZaHufL4UUbN2negs4y s2FbLYfO+3yANaivdqiJMdi+wp+e5oJa8HknridZV5DHgLOg8Yf67SqpUHG8n0yDm5JW fEMEzpVN6KbjC+fnz892fYtROwHcTuM9q2tsUBE3a5JAb/38IKM2pohhvf4pjWs+zLwx Ppz4HEL+fou9yq41HU/MBYqYEC6JnXVchmKBdnd/XaQLnFM48hszmxC/KgHelzihUBX9 1Ctg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:dkim-signature:from; bh=BWLNZff+/2GVoco07cWEeMqx/qFYTKj66Lb7zdTUnbM=; b=XWq4iGZCa4EkgEq5irG6lb8F26ElKiiQFEumtMHwC86KIOp3pnqoiIMZpa7ZW/aTpp 4ae1Ch3pyLIbWG/Iqi1yXAE65vO3P6MwIVVAM5LIk8VPnv29ESmQ5dq0wWCyRvSur6g/ +clarLk8uRml8+buJeTW3CPb3B7DtL/oyxTJvd5SRuS3w126+JMPDM+isExL+nonq1Bp Cg5USFnuyAhbKC/omjL29i20WJU6wwVfMHu1q0lGDhQsWQywABXriZii4is6FuwCGaHw +YWgK1jQu8OWl+8SRhnHXF6h6uaGUzU13dIFcFkim1yYLPcgAu7ymgdYuTQ2ItL35jNb qYhg== ARC-Authentication-Results: i=1; mx.google.com; dkim=temperror (no key for signature) header.i=@c0d3.blue header.s=2018 header.b=KHY10xfp; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id dh22si11518394edb.38.2020.07.05.11.28.31; Sun, 05 Jul 2020 11:28:54 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=temperror (no key for signature) header.i=@c0d3.blue header.s=2018 header.b=KHY10xfp; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728002AbgGES2B (ORCPT + 99 others); Sun, 5 Jul 2020 14:28:01 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41176 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727859AbgGES2B (ORCPT ); Sun, 5 Jul 2020 14:28:01 -0400 X-Greylist: delayed 311 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Sun, 05 Jul 2020 11:28:01 PDT Received: from mail.aperture-lab.de (mail.aperture-lab.de [IPv6:2a01:4f8:171:314c::100:a1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 72252C061794 for ; Sun, 5 Jul 2020 11:28:01 -0700 (PDT) From: =?UTF-8?q?Linus=20L=C3=BCssing?= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=c0d3.blue; s=2018; t=1593973363; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=BWLNZff+/2GVoco07cWEeMqx/qFYTKj66Lb7zdTUnbM=; b=KHY10xfprOr13lO/b9r4ocoUTapsaRf42ZvcqVJnC/K7ZurJWGaaxQb+V6GS61hcLlpAUz 4CSdTNvRBZAwHl6fVA6ee3y89+1aLdeZInm7FdcO+OAN0GFet0+E1h9dRFObkd3KBdqRre VCiMGfA0cpf1c9qlY+jMNE7vbOd+01/nIYnDPEQ+1eXJfSdSvPQzsI7livM9y8FDdu2Es6 TD+T3ZmXDm8Nugyaa5Sg6vMOucfRG17MqpLQPTIjOnZ1uKZ9hjE+PiPCDNBGETDL+AeIQs CaAL3HJZrdJVyxSC1TtAzHDdE7YH/lLGIFAG00GNUNJy5rIvs7Eb63xzwDH7xw== To: netdev@vger.kernel.org Cc: Roopa Prabhu , Nikolay Aleksandrov , Martin Weinelt , "David S . Miller" , bridge@lists.linux-foundation.org, linux-kernel@vger.kernel.org, =?UTF-8?q?Linus=20L=C3=BCssing?= Subject: [PATCH net] bridge: mcast: Fix MLD2 Report IPv6 payload length check Date: Sun, 5 Jul 2020 20:22:34 +0200 Message-Id: <20200705182234.10257-1-linus.luessing@c0d3.blue> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Authentication-Results: ORIGINATING; auth=pass smtp.auth=linus.luessing@c0d3.blue smtp.mailfrom=linus.luessing@c0d3.blue Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Commit e57f61858b7c ("net: bridge: mcast: fix stale nsrcs pointer in igmp3/mld2 report handling") introduced a small bug which would potentially lead to accepting an MLD2 Report with a broken IPv6 header payload length field. The check needs to take into account the 2 bytes for the "Number of Sources" field in the "Multicast Address Record" before reading it. And not the size of a pointer to this field. Fixes: e57f61858b7c ("net: bridge: mcast: fix stale nsrcs pointer in igmp3/mld2 report handling") Signed-off-by: Linus Lüssing --- net/bridge/br_multicast.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c index 83490bf73a13..4c4a93abde68 100644 --- a/net/bridge/br_multicast.c +++ b/net/bridge/br_multicast.c @@ -1000,21 +1000,21 @@ static int br_ip6_multicast_mld2_report(struct net_bridge *br, num = ntohs(icmp6h->icmp6_dataun.un_data16[1]); len = skb_transport_offset(skb) + sizeof(*icmp6h); for (i = 0; i < num; i++) { __be16 *_nsrcs, __nsrcs; u16 nsrcs; nsrcs_offset = len + offsetof(struct mld2_grec, grec_nsrcs); if (skb_transport_offset(skb) + ipv6_transport_len(skb) < - nsrcs_offset + sizeof(_nsrcs)) + nsrcs_offset + sizeof(__nsrcs)) return -EINVAL; _nsrcs = skb_header_pointer(skb, nsrcs_offset, sizeof(__nsrcs), &__nsrcs); if (!_nsrcs) return -EINVAL; nsrcs = ntohs(*_nsrcs); grec_len = struct_size(grec, grec_src, nsrcs); -- 2.27.0