ipv6: protect mtu calculation of wrap-around and infinite loop by rounding issues - starfive-tech/linux.git - StarFive Tech Linux Kernel for VisionFive (JH7110) boards (mirror)

diff options

author	Hannes Frederic Sowa <hannes@stressinduktion.org>	2015-10-28 15:21:04 +0300
committer	David S. Miller <davem@davemloft.net>	2015-10-29 17:01:50 +0300
commit	89bc7848a91bc99532f5c21b2885472ba710f249 (patch)
tree	90181c41b4521baaac793ad38f57c51d3957a663 /Documentation
parent	1e0d69a9cc9172d7896c2113f983a74f6e8ff303 (diff)
download	linux-89bc7848a91bc99532f5c21b2885472ba710f249.tar.xz

ipv6: protect mtu calculation of wrap-around and infinite loop by rounding issues

Raw sockets with hdrincl enabled can insert ipv6 extension headers right into the data stream. In case we need to fragment those packets, we reparse the options header to find the place where we can insert the fragment header. If the extension headers exceed the link's MTU we actually cannot make progress in such a case. Instead of ending up in broken arithmetic or rounding towards 0 and entering an endless loop in ip6_fragment, just prevent those cases by aborting early and signal -EMSGSIZE to user space. This is the second version of the patch which doesn't use the overflow_usub function, which got reverted for now. Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> Cc: Linus Torvalds <torvalds@linux-foundation.org> Reported-by: Dmitry Vyukov <dvyukov@google.com> Cc: Dmitry Vyukov <dvyukov@google.com> Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: David S. Miller <davem@davemloft.net>

Diffstat (limited to 'Documentation')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: