Re: [PATCH net] ip6_tunnel: be careful when accessing the inner header

Cong Wang Fri, 21 Sep 2018 11:51:47 -0700

On Wed, Sep 19, 2018 at 6:04 AM Paolo Abeni <pab...@redhat.com> wrote:
> diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
> index 419960b0ba16..a0b6932c3afd 100644
> --- a/net/ipv6/ip6_tunnel.c
> +++ b/net/ipv6/ip6_tunnel.c
> @@ -1234,7 +1234,7 @@ static inline int
>  ip4ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev)
>  {
>         struct ip6_tnl *t = netdev_priv(dev);
> -       const struct iphdr  *iph = ip_hdr(skb);
> +       const struct iphdr  *iph;
>         int encap_limit = -1;
>         struct flowi6 fl6;
>         __u8 dsfield;
> @@ -1242,6 +1242,11 @@ ip4ip6_tnl_xmit(struct sk_buff *skb, struct net_device 
> *dev)
>         u8 tproto;
>         int err;
>
> +       /* ensure we can access the full inner ip header */
> +       if (!pskb_may_pull(skb, sizeof(struct iphdr)))
> +               return -1;
> +
> +       iph = ip_hdr(skb);


Hmm...

How do IPv4 tunnels ensure they have the right inner header to access?
ip_tunnel_xmit() uses skb_inner_network_header() to access inner header
which doesn't have any check either AFAIK.

Re: [PATCH net] ip6_tunnel: be careful when accessing the inner header

Reply via email to