diff options
author | Sabrina Dubroca <sd@queasysnail.net> | 2016-12-14 13:24:55 +0100 |
---|---|---|
committer | Sasha Levin <alexander.levin@verizon.com> | 2016-12-23 08:56:36 -0500 |
commit | fabaaaa96d54077b4a9f2c811e55dc09ff2874db (patch) | |
tree | 09928dd285beca125e9420ec0e710cc342eb5d07 /net/core | |
parent | 7abf32087c1dabacf707506585afc7b69aad21b3 (diff) |
net: add recursion limit to GRO
[ Debian: net-add-recursion-limit-to-gro.patch ]
Currently, GRO can do unlimited recursion through the gro_receive
handlers. This was fixed for tunneling protocols by limiting tunnel GRO
to one level with encap_mark, but both VLAN and TEB still have this
problem. Thus, the kernel is vulnerable to a stack overflow, if we
receive a packet composed entirely of VLAN headers.
This patch adds a recursion counter to the GRO layer to prevent stack
overflow. When a gro_receive function hits the recursion limit, GRO is
aborted for this skb and it is processed normally.
Thanks to Vladimír Beneš <vbenes@redhat.com> for the initial bug report.
Fixes: CVE-2016-7039
Fixes: 9b174d88c257 ("net: Add Transparent Ethernet Bridging GRO support.")
Fixes: 66e5133f19e9 ("vlan: Add GRO support for non hardware accelerated vlan")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Reviewed-by: Jiri Benc <jbenc@redhat.com>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: Philipp Hahn <hahn@univention.de>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Diffstat (limited to 'net/core')
-rw-r--r-- | net/core/dev.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/net/core/dev.c b/net/core/dev.c index 185a3398c651..56d820fc2707 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -4060,6 +4060,7 @@ static enum gro_result dev_gro_receive(struct napi_struct *napi, struct sk_buff NAPI_GRO_CB(skb)->flush = 0; NAPI_GRO_CB(skb)->free = 0; NAPI_GRO_CB(skb)->udp_mark = 0; + NAPI_GRO_CB(skb)->recursion_counter = 0; NAPI_GRO_CB(skb)->gro_remcsum_start = 0; /* Setup for GRO checksum validation */ |