On Thu, Aug 31, 2017 at 03:22:39PM -0700, Tom Herbert wrote:
> In flow dissector there are no limits to the number of nested
> encapsulations that might be dissected which makes for a nice DOS
> attack. This patch limits for dissecting nested encapsulations
> as well as for dissecting over extension headers.
>
> Reported-by: Hannes Frederic Sowa <han...@stressinduktion.org>
> Signed-off-by: Tom Herbert <t...@quantonium.net>
> ---
> net/core/flow_dissector.c | 48
> ++++++++++++++++++++++++++++++++++++++++++++---
> 1 file changed, 45 insertions(+), 3 deletions(-)
>
> diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
> index 5110180a3e96..1bca748de27d 100644
> --- a/net/core/flow_dissector.c
> +++ b/net/core/flow_dissector.c
> @@ -396,6 +396,35 @@ __skb_flow_dissect_ipv6(const struct sk_buff *skb,
> key_ip->ttl = iph->hop_limit;
> }
>
> +/* Maximum number of nested encapsulations that can be processed in
> + * __skb_flow_dissect
> + */
> +#define MAX_FLOW_DISSECT_ENCAPS 5
> +
> +static bool skb_flow_dissect_encap_allowed(int *num_encaps, unsigned int
> *flags)
> +{
> + ++*num_encaps;
> +
> + if (*num_encaps >= MAX_FLOW_DISSECT_ENCAPS) {
> + if (*num_encaps == MAX_FLOW_DISSECT_ENCAPS) {
> + /* Allow one more pass but ignore disregard
It seems that 'ignore' or 'disregard' should be dropped from the text above.
> + * further encapsulations
> + */
> + *flags |= FLOW_DISSECTOR_F_STOP_AT_ENCAP;
> + } else {
> + /* Max encaps reached */
> + return false;
There are two spaces between 'return' and 'false'.
...
