On Fri, 2018-09-21 at 11:51 -0700, Cong Wang wrote:
> On Wed, Sep 19, 2018 at 6:04 AM Paolo Abeni <pab...@redhat.com> wrote:
> > diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
> > index 419960b0ba16..a0b6932c3afd 100644
> > --- a/net/ipv6/ip6_tunnel.c
> > +++ b/net/ipv6/ip6_tunnel.c
> > @@ -1234,7 +1234,7 @@ static inline int
> > ip4ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev)
> > {
> > struct ip6_tnl *t = netdev_priv(dev);
> > - const struct iphdr *iph = ip_hdr(skb);
> > + const struct iphdr *iph;
> > int encap_limit = -1;
> > struct flowi6 fl6;
> > __u8 dsfield;
> > @@ -1242,6 +1242,11 @@ ip4ip6_tnl_xmit(struct sk_buff *skb, struct
> > net_device *dev)
> > u8 tproto;
> > int err;
> >
> > + /* ensure we can access the full inner ip header */
> > + if (!pskb_may_pull(skb, sizeof(struct iphdr)))
> > + return -1;
> > +
> > + iph = ip_hdr(skb);
>
> Hmm...
>
> How do IPv4 tunnels ensure they have the right inner header to access?
> ip_tunnel_xmit() uses skb_inner_network_header() to access inner header
> which doesn't have any check either AFAIK.
You are right, I think we need similar checks for ip_tunnel_xmit(),
too.
I'll try to cook a patch.
Cheers,
Paolo
