From db8bac79346d40eb786cd54a424fd2e8e3316051 Mon Sep 17 00:00:00 2001
From: Eric Dumazet <edumazet@google.com>
Date: Thu, 31 Oct 2013 15:50:21 -0700
Subject: [PATCH] net-fixes: flow_dissector: prevent an infinite loop
 (CVE-2013-4348)

Jason Wang found that a malicious packet could make skb_flow_dissect()
loop forever. We must check that IP header has a valid ihl to avoid
this loop. It involves IPIP encapsulation and ihl = 0 to trigger.

Given this bug is critical, I cooked a patch before having
a fix in upstream kernel.

Tested:

 Compiled/booted
 Ran some tests on bnx2x and explicitely disabled hardware provided rxhash
 ethtool -K eth1 rxhash off
 ethtool -K eth2 rxhash off

Google-Bug-Id: 11465355
Effort: net-fixes
Change-Id: I813e4dc48cecb05f8edfa218304e1f13fd764323
Signed-off-by: Ed Tam <etam@google.com>
---
 net/core/flow_dissector.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
index a225089df5b6..96c5f0edb4cf 100644
--- a/net/core/flow_dissector.c
+++ b/net/core/flow_dissector.c
@@ -35,7 +35,9 @@ again:
 		struct iphdr _iph;
 ip:
 		iph = skb_header_pointer(skb, nhoff, sizeof(_iph), &_iph);
-		if (!iph)
+
+		/* CVE-2013-4348 issue : make sure iph->ihl is not zero ... */
+		if (!iph || iph->ihl < 5)
 			return false;
 
 		if (ip_is_fragment(iph))
-- 
GitLab