Re: [PATCH net] ip: fix IP_CHECKSUM handling

2017-02-20 Thread Stephen Hemminger 
On Mon, 20 Feb 2017 17:55:39 +0100
Paolo Abeni  wrote:

> The skbs processed by ip_cmsg_recv() are not guaranteed to
> be linear e.g. when sending UDP packets over loopback with
> MSGMORE.
> Using csum_partial() on [potentially] the whole skb len
> is dangerous; instead be on the safe side and use skb_checksum().
> 
> Thanks to syzkaller team to detect the issue and provide the
> reproducer.
> 
> Fixes: ad6f939ab193 ("ip: Add offset parameter to ip_cmsg_recv")
> Reported-by: Andrey Konovalov 
> Signed-off-by: Paolo Abeni 
> ---
>  net/ipv4/ip_sockglue.c | 9 +
>  1 file changed, 5 insertions(+), 4 deletions(-)
> 
> diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
> index 9000117..d88bbe2 100644
> --- a/net/ipv4/ip_sockglue.c
> +++ b/net/ipv4/ip_sockglue.c
> @@ -112,14 +112,15 @@ static void ip_cmsg_recv_checksum(struct msghdr *msg, 
> struct sk_buff *skb,
> int tlen, int offset)
>  {
>   __wsum csum = skb->csum;
> + int tend_off;
>  
>   if (skb->ip_summed != CHECKSUM_COMPLETE)
>   return;
>  
> - if (offset != 0)
> - csum = csum_sub(csum,
> - csum_partial(skb_transport_header(skb) + tlen,
> -  offset, 0));
> + if (offset != 0) {
> + tend_off = skb_transport_offset(skb) + tlen;
> + csum = csum_sub(csum, skb_checksum(skb, tend_off, offset, 0));
> + }

If you need to add a local variable (tend_off) then please make its scope
as tight as possible. i.e.

if (offset != 0) {
int tend_off = skb_transport_offset(skb) + tlen;

[PATCH net] ip: fix IP_CHECKSUM handling

2017-02-20 Thread Paolo Abeni 
The skbs processed by ip_cmsg_recv() are not guaranteed to
be linear e.g. when sending UDP packets over loopback with
MSGMORE.
Using csum_partial() on [potentially] the whole skb len
is dangerous; instead be on the safe side and use skb_checksum().

Thanks to syzkaller team to detect the issue and provide the
reproducer.

Fixes: ad6f939ab193 ("ip: Add offset parameter to ip_cmsg_recv")
Reported-by: Andrey Konovalov 
Signed-off-by: Paolo Abeni 
---
 net/ipv4/ip_sockglue.c | 9 +
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index 9000117..d88bbe2 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -112,14 +112,15 @@ static void ip_cmsg_recv_checksum(struct msghdr *msg, 
struct sk_buff *skb,
  int tlen, int offset)
 {
__wsum csum = skb->csum;
+   int tend_off;
 
if (skb->ip_summed != CHECKSUM_COMPLETE)
return;
 
-   if (offset != 0)
-   csum = csum_sub(csum,
-   csum_partial(skb_transport_header(skb) + tlen,
-offset, 0));
+   if (offset != 0) {
+   tend_off = skb_transport_offset(skb) + tlen;
+   csum = csum_sub(csum, skb_checksum(skb, tend_off, offset, 0));
+   }
 
put_cmsg(msg, SOL_IP, IP_CHECKSUM, sizeof(__wsum), );
 }
-- 
2.9.3