diff options
author | Stefano Brivio | 2019-01-03 21:43:34 +0100 |
---|---|---|
committer | David S. Miller | 2019-01-04 13:06:07 -0800 |
commit | bc6e019b6ee65ff4ebf3ca272f774cf6c67db669 (patch) | |
tree | 7fd864915e5771b489b207b32e76eeda2f1bed19 /net | |
parent | 41e4e2cd75346667b0c531c07dab05cce5b06d15 (diff) |
fou: Prevent unbounded recursion in GUE error handler also with UDP-Lite
In commit 11789039da53 ("fou: Prevent unbounded recursion in GUE error
handler"), I didn't take care of the case where UDP-Lite is encapsulated
into UDP or UDP-Lite with GUE. From a syzbot report about a possibly
similar issue with GUE on IPv6, I just realised the same thing might
happen with a UDP-Lite inner payload.
Also skip exception handling for inner UDP-Lite protocol.
Fixes: 11789039da53 ("fou: Prevent unbounded recursion in GUE error handler")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r-- | net/ipv4/fou.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/net/ipv4/fou.c b/net/ipv4/fou.c index 0c9f171fb085..632863541082 100644 --- a/net/ipv4/fou.c +++ b/net/ipv4/fou.c @@ -1065,7 +1065,8 @@ static int gue_err(struct sk_buff *skb, u32 info) * recursion. Besides, this kind of encapsulation can't even be * configured currently. Discard this. */ - if (guehdr->proto_ctype == IPPROTO_UDP) + if (guehdr->proto_ctype == IPPROTO_UDP || + guehdr->proto_ctype == IPPROTO_UDPLITE) return -EOPNOTSUPP; skb_set_transport_header(skb, -(int)sizeof(struct icmphdr)); |