Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp1893305pxk; Tue, 1 Sep 2020 10:10:59 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwkW7txjbspTwRhNfNVn+dUYo+U6bFZrrmMLhsfjjp9bTUycil9lB3vWOfwuLgSCOucf5xG X-Received: by 2002:aa7:c159:: with SMTP id r25mr2789282edp.317.1598980259261; Tue, 01 Sep 2020 10:10:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1598980259; cv=none; d=google.com; s=arc-20160816; b=SQi6h9N87baUQPTJfyPKb1Mx/rqpZrHLL0aWF+zhNIN9y5eLxBJE2zq7vSPLu1KzQT 0Rtd+SMpQ/FvRwnhI3SCyZuKlJW10sytBTf+s4WLb/+ds/ePk4Nds7lnS4hwzBMb5GjM bUZo38rgkUrdIC3Smxeadf6oblqZ8FfeqUVuRapAugRoq7gjtuc1p7xj8LejRk6TsK0+ N0oOHPhLceWnrMGMe2wwp8RanSRG3wm8GCfJZrF2rFPckLFkLMYEnk/j5d6qDTCzEAYs NASBpmT/PESI1dMCT4NxsKUfmNLP1js0hESnz/s8Fn4k8CBw959z/i9Co5qvLdklvSyO PQyA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=5ZirBzigZgYx+9laG6/J6TQgv7hQQ5zY3awWMGHqo+k=; b=S9es1jZV96rGz9va8Phxkx5Lb9Q7/uCNaPCDmaCLBq9q0+lk7tYNdtFNYKC2q0s7yi euAXSNwsYGyl0j8C5hdRlmYCsy9HNr/JWN0b0DB7mr4pjc6njeZB7h1BpNqaWIrENHxA 88zaIaQfFGHW2nGc/HE/nDRcE5EgXcBRpAjWfntp4b2sJfV0MCmZXe1A36uMJo85jd86 MYCeI3X+D7enXxzbFzTRDAWEl+qyIF40U1/eVTmHKEVTVc449sEozAEmNEfRsNOsMkME P3XVrhB4iHmvv965erbnXYolP1MP0Fm+Ivw65ud+gMcu6ZNJLT/zQp9Ngdsx5kjit0RS A2OQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=fvP5Hych; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id s22si840742edc.481.2020.09.01.10.10.36; Tue, 01 Sep 2020 10:10:59 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=fvP5Hych; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730242AbgIARIJ (ORCPT + 99 others); Tue, 1 Sep 2020 13:08:09 -0400 Received: from mail.kernel.org ([198.145.29.99]:36228 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728827AbgIAPSK (ORCPT ); Tue, 1 Sep 2020 11:18:10 -0400 Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 907D1206EB; Tue, 1 Sep 2020 15:18:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1598973490; bh=6U3tpnVDynBvNo+gSnrFfnNkeZUzIxS3spDzXru5xkM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=fvP5HychZ4rJUsfBkxsNMZEHS6qChIRCZHqF5qGLpppkcGo5Jm8X86MnTe6JD1bnQ XvbQz2Hg1baP6+mZ6QB8AQmupOVKPpoz35T170Xi1zOTUTRM6JMEUCWYxLHIXuU91J 3EMT4lb1sXbhDC3XP8eKBG//cK4EVsLXNb8OD3Sg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Miaohe Lin , "David S. Miller" Subject: [PATCH 4.14 02/91] net: Fix potential wrong skb->protocol in skb_vlan_untag() Date: Tue, 1 Sep 2020 17:09:36 +0200 Message-Id: <20200901150928.238578130@linuxfoundation.org> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200901150928.096174795@linuxfoundation.org> References: <20200901150928.096174795@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Miaohe Lin [ Upstream commit 55eff0eb7460c3d50716ed9eccf22257b046ca92 ] We may access the two bytes after vlan_hdr in vlan_set_encap_proto(). So we should pull VLAN_HLEN + sizeof(unsigned short) in skb_vlan_untag() or we may access the wrong data. Fixes: 0d5501c1c828 ("net: Always untag vlan-tagged traffic on input.") Signed-off-by: Miaohe Lin Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/core/skbuff.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -5053,8 +5053,8 @@ struct sk_buff *skb_vlan_untag(struct sk skb = skb_share_check(skb, GFP_ATOMIC); if (unlikely(!skb)) goto err_free; - - if (unlikely(!pskb_may_pull(skb, VLAN_HLEN))) + /* We may access the two bytes after vlan_hdr in vlan_set_encap_proto(). */ + if (unlikely(!pskb_may_pull(skb, VLAN_HLEN + sizeof(unsigned short)))) goto err_free; vhdr = (struct vlan_hdr *)skb->data;