From: Toke Høiland-Jørgensen <[email protected]> Date: Tue, 7 Jul 2020 13:03:25 +0200
> Toshiaki pointed out that we now have two very similar functions to extract > the L3 protocol number in the presence of VLAN tags. And Daniel pointed out > that the unbounded parsing loop makes it possible for maliciously crafted > packets to loop through potentially hundreds of tags. > > Fix both of these issues by consolidating the two parsing functions and > limiting the VLAN tag parsing to a max depth of 8 tags. As part of this, > switch over __vlan_get_protocol() to use skb_header_pointer() instead of > pskb_may_pull(), to avoid the possible side effects of the latter and keep > the skb pointer 'const' through all the parsing functions. > > v2: > - Use limit of 8 tags instead of 32 (matching XMIT_RECURSION_LIMIT) > > Reported-by: Toshiaki Makita <[email protected]> > Reported-by: Daniel Borkmann <[email protected]> > Fixes: d7bf2ebebc2b ("sched: consistently handle layer3 header accesses in > the presence of VLANs") > Signed-off-by: Toke Høiland-Jørgensen <[email protected]> Applied, thank you. _______________________________________________ Cake mailing list [email protected] https://lists.bufferbloat.net/listinfo/cake
