Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp3967719ybt; Sun, 5 Jul 2020 12:13:27 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx6Xhxo7ed9mPzB63hTh3d14EZOBlPlQNj1IfjqzbtMucZrK2GVzkpRUh7OQi+ODn1yCR0v X-Received: by 2002:aa7:d341:: with SMTP id m1mr39194014edr.50.1593976407493; Sun, 05 Jul 2020 12:13:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1593976407; cv=none; d=google.com; s=arc-20160816; b=hjsj+1r/eRvXofZ7AS/E9P6WAaNfRWpBOylrVjoqj2PjTYV77h1G2XVlBlzDZEkC97 7tEH7B+oc1DI6nCZjB7Zeg6FBlreFPYmOIYBmzHJVZGV6In82spGecAoxAsWLYzzOGms BjkweyRkX7hDzbauTVD4QBRX3HoVDBr3sWxfkedMQcBi1b2TdNw8vBddXjNPVu9Koc45 /ESIPxz8G7Sy2IL/ZbZL5ZCd+cN3gxlXVEy9AB/t25FY0sRObdI5sFa5GqAmHnGa9kcf hlPBEPN05b5aFjTBAsLgE02jFs/APNCxybT+SENNqrrsdlMIM/DygWcEDACMtcgMIr2C TwWw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:dkim-signature:from; bh=bmg9uf6mYHkfh9utTYp2Nm+8c0oAt214toZIvaTa5jo=; b=0KGfmzttmfe43r+/ieYG8qbnMyZ9dnPSdoOYIVyU1fxlEX/ZHwsgVuj0k1Wcshf9Zo 4ZRxlimYwEhqOqTxZomOLHQ/1G9tCkCxzIcWqLGaH5JqH90RfhDn1FRVuhbNCiDc6jJA 0BMSADCdm1hK+oBjK+IsQPvvVORs7db1CZjDqkDWfhdjiQZ4yFDd6v4SHqjObpszOXIN UqP7f7II0cRF+JyuJiSITej+DA0cGuTcV7bO6Cvgj2PxXpuQ9+JroVxxmXu5K47hVo0g Poj6sBTlbJVTnky/9jw1ZNzxdkCvzY4LIfDQA+CKylBrN04C2aGxSPO6v5UJqmKtcEJ7 jI3Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=temperror (no key for signature) header.i=@c0d3.blue header.s=2018 header.b=PjLgNG9U; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id bv17si11490433ejb.263.2020.07.05.12.13.04; Sun, 05 Jul 2020 12:13:27 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=temperror (no key for signature) header.i=@c0d3.blue header.s=2018 header.b=PjLgNG9U; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727936AbgGETKX (ORCPT + 99 others); Sun, 5 Jul 2020 15:10:23 -0400 Received: from mail.aperture-lab.de ([138.201.29.205]:45074 "EHLO mail.aperture-lab.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727823AbgGETKX (ORCPT ); Sun, 5 Jul 2020 15:10:23 -0400 From: =?UTF-8?q?Linus=20L=C3=BCssing?= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=c0d3.blue; s=2018; t=1593976221; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=bmg9uf6mYHkfh9utTYp2Nm+8c0oAt214toZIvaTa5jo=; b=PjLgNG9UZv+o/MTuf6PQhE/l0t88wYz61/qnGGPnCH4zPpWgk073ZxSkEBvjwiQVCsVMHO kd/NchNe1VK6ltz5xIgSRox0igKlcUsYpfWF7L5gEo1IVS2gWV3uYz4VlP4KrYZsEGh5qF FJ/Lhto/t+RSZmrneXJwYl3yeS26iDjswGtydlJHr0D1yvPJDw4rx0YFhaWZTbDqydIBII OVNFgYPNWSdH3abLjGoxJsccIMI3hm/atv/jVrmVNq2/Dfo0++/lq28tVbDTo6S4laZi6I TZirZcyo857w8BvLLCr7oh7XRl4qmjJfGgZdvAjDPI1f+ilnGgcPhZ/0YVrpPg== To: netdev@vger.kernel.org Cc: Roopa Prabhu , Nikolay Aleksandrov , Martin Weinelt , "David S . Miller" , bridge@lists.linux-foundation.org, linux-kernel@vger.kernel.org, =?UTF-8?q?Linus=20L=C3=BCssing?= Subject: [PATCH net v2] bridge: mcast: Fix MLD2 Report IPv6 payload length check Date: Sun, 5 Jul 2020 21:10:17 +0200 Message-Id: <20200705191017.10546-1-linus.luessing@c0d3.blue> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Authentication-Results: ORIGINATING; auth=pass smtp.auth=linus.luessing@c0d3.blue smtp.mailfrom=linus.luessing@c0d3.blue Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Commit e57f61858b7c ("net: bridge: mcast: fix stale nsrcs pointer in igmp3/mld2 report handling") introduced a bug in the IPv6 header payload length check which would potentially lead to rejecting a valid MLD2 Report: The check needs to take into account the 2 bytes for the "Number of Sources" field in the "Multicast Address Record" before reading it. And not the size of a pointer to this field. Fixes: e57f61858b7c ("net: bridge: mcast: fix stale nsrcs pointer in igmp3/mld2 report handling") Acked-by: Nikolay Aleksandrov Signed-off-by: Linus Lüssing --- Changelog v2: * updated commit message, the issue is accidentally rejcting a valid and not accepting an invalid MLD2 Report net/bridge/br_multicast.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c index 83490bf73a13..4c4a93abde68 100644 --- a/net/bridge/br_multicast.c +++ b/net/bridge/br_multicast.c @@ -1000,21 +1000,21 @@ static int br_ip6_multicast_mld2_report(struct net_bridge *br, num = ntohs(icmp6h->icmp6_dataun.un_data16[1]); len = skb_transport_offset(skb) + sizeof(*icmp6h); for (i = 0; i < num; i++) { __be16 *_nsrcs, __nsrcs; u16 nsrcs; nsrcs_offset = len + offsetof(struct mld2_grec, grec_nsrcs); if (skb_transport_offset(skb) + ipv6_transport_len(skb) < - nsrcs_offset + sizeof(_nsrcs)) + nsrcs_offset + sizeof(__nsrcs)) return -EINVAL; _nsrcs = skb_header_pointer(skb, nsrcs_offset, sizeof(__nsrcs), &__nsrcs); if (!_nsrcs) return -EINVAL; nsrcs = ntohs(*_nsrcs); grec_len = struct_size(grec, grec_src, nsrcs); -- 2.27.0