Eric Dumazet reported syzbot found a new bug which leads to underflow of size argument of memmove(), causing crash[1]. This can be triggered by tun devices.
The underflow happened because skb_vlan_untag() did not expect vlan packets without ethernet headers, and tun can produce such packets. I also checked vlan_insert_inner_tag() and found a similar bug. This series fixes these problems. [1] https://marc.info/?l=linux-netdev&m=152221753920510&w=2 Toshiaki Makita (2): net: Fix untag for vlan packets without ethernet header vlan: Fix vlan insertion for packets without ethernet header include/linux/if_vlan.h | 15 +++++++++++++-- net/core/skbuff.c | 6 ++++-- 2 files changed, 17 insertions(+), 4 deletions(-) -- 1.8.3.1
