From db8bac79346d40eb786cd54a424fd2e8e3316051 Mon Sep 17 00:00:00 2001 From: Eric Dumazet <edumazet@google.com> Date: Thu, 31 Oct 2013 15:50:21 -0700 Subject: [PATCH] net-fixes: flow_dissector: prevent an infinite loop (CVE-2013-4348) Jason Wang found that a malicious packet could make skb_flow_dissect() loop forever. We must check that IP header has a valid ihl to avoid this loop. It involves IPIP encapsulation and ihl = 0 to trigger. Given this bug is critical, I cooked a patch before having a fix in upstream kernel. Tested: Compiled/booted Ran some tests on bnx2x and explicitely disabled hardware provided rxhash ethtool -K eth1 rxhash off ethtool -K eth2 rxhash off Google-Bug-Id: 11465355 Effort: net-fixes Change-Id: I813e4dc48cecb05f8edfa218304e1f13fd764323 Signed-off-by: Ed Tam <etam@google.com> --- net/core/flow_dissector.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c index a225089df5b6..96c5f0edb4cf 100644 --- a/net/core/flow_dissector.c +++ b/net/core/flow_dissector.c @@ -35,7 +35,9 @@ again: struct iphdr _iph; ip: iph = skb_header_pointer(skb, nhoff, sizeof(_iph), &_iph); - if (!iph) + + /* CVE-2013-4348 issue : make sure iph->ihl is not zero ... */ + if (!iph || iph->ihl < 5) return false; if (ip_is_fragment(iph)) -- GitLab