net-fixes: flow_dissector: prevent an infinite loop (CVE-2013-4348)

Jason Wang found that a malicious packet could make skb_flow_dissect() loop forever. We must check that IP header has a valid ihl to avoid this loop. It involves IPIP encapsulation and ihl = 0 to trigger. Given this bug is critical, I cooked a patch before having a fix in upstream kernel. Tested: Compiled/booted Ran some tests on bnx2x and explicitely disabled hardware provided rxhash ethtool -K eth1 rxhash off ethtool -K eth2 rxhash off Google-Bug-Id: 11465355 Effort: net-fixes Change-Id: I813e4dc48cecb05f8edfa218304e1f13fd764323 Signed-off-by: Ed Tam <etam@google.com>

net-fixes: flow_dissector: prevent an infinite loop (CVE-2013-4348)
db8bac79 · Eric Dumazet · Ed Tam · 6b52b61f · db8bac79
Commit db8bac79 authored Oct 31, 2013 by Eric Dumazet Committed by Ed Tam Nov 15, 2013
--- a/net/core/flow_dissector.c
+++ b/net/core/flow_dissector.c
@@ -35,7 +35,9 @@ again:
 		struct iphdr _iph;
 ip:
 		iph = skb_header_pointer(skb, nhoff, sizeof(_iph), &_iph);
-		if (!iph)
+
+		/* CVE-2013-4348 issue : make sure iph->ihl is not zero ... */
+		if (!iph || iph->ihl < 5)
 			return false;

 		if (ip_is_fragment(iph))