Unverified Commit 7ceda325 authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!13792 CVE-2024-43817 

Merge Pull Request from: @ci-robot 
 
PR sync from: Zhang Changzhong <zhangchangzhong@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/LLOLHCPNG6WWMNSG4EAL4WYLLVYNS3AH/ 
Felix Fietkau (1):
  udp: fix receiving fraglist GSO packets

Willem de Bruijn (2):
  net: drop bad gso csum_start and offset in virtio_net_hdr
  net: tighten bad gso csum offset check in virtio_net_hdr

Yan Zhai (1):
  gso: fix dodgy bit handling for GSO_UDP_L4


-- 
2.9.5
 
https://gitee.com/src-openeuler/kernel/issues/IAKQ33 
 
Link:https://gitee.com/openeuler/kernel/pulls/13792
parents 5b5618ee 906c902f

include/linux/virtio_net.h

+11 −2
Original line number Diff line number Diff line
@@ -144,9 +144,18 @@ static inline int virtio_net_hdr_to_skb(struct sk_buff *skb, 
		unsigned int nh_off = p_off;

		struct skb_shared_info *shinfo = skb_shinfo(skb);



		switch (gso_type & ~SKB_GSO_TCP_ECN) {

		case SKB_GSO_UDP:

			/* UFO may not include transport header in gso_size. */

		if (gso_type & SKB_GSO_UDP)

			nh_off -= thlen;

			break;

		case SKB_GSO_TCPV4:

		case SKB_GSO_TCPV6:

			if (skb->ip_summed == CHECKSUM_PARTIAL &&

			    skb->csum_offset != offsetof(struct tcphdr, check))

				return -EINVAL;

			break;

		}



		/* Kernel has a special handling for GSO_BY_FRAGS. */

		if (gso_size == GSO_BY_FRAGS)

net/ipv4/tcp_offload.c

+3 −0
Original line number Diff line number Diff line
@@ -71,6 +71,9 @@ struct sk_buff *tcp_gso_segment(struct sk_buff *skb, 
	if (thlen < sizeof(*th))

		goto out;



	if (unlikely(skb_checksum_start(skb) != skb_transport_header(skb)))

		goto out;



	if (!pskb_may_pull(skb, thlen))

		goto out;

net/ipv4/udp_offload.c

+16 −4
Original line number Diff line number Diff line
@@ -270,6 +270,22 @@ struct sk_buff *__udp_gso_segment(struct sk_buff *gso_skb, 
	__sum16 check;

	__be16 newlen;



	mss = skb_shinfo(gso_skb)->gso_size;

	if (gso_skb->len <= sizeof(*uh) + mss)

		return ERR_PTR(-EINVAL);



	if (unlikely(skb_checksum_start(gso_skb) !=

		     skb_transport_header(gso_skb) &&

		     !(skb_shinfo(gso_skb)->gso_type & SKB_GSO_FRAGLIST)))

		return ERR_PTR(-EINVAL);



	if (skb_gso_ok(gso_skb, features | NETIF_F_GSO_ROBUST)) {

		/* Packet is from an untrusted source, reset gso_segs. */

		skb_shinfo(gso_skb)->gso_segs = DIV_ROUND_UP(gso_skb->len - sizeof(*uh),

							     mss);

		return NULL;

	}



	if (skb_shinfo(gso_skb)->gso_type & SKB_GSO_FRAGLIST) {

		 /* Detect modified geometry and pass those to skb_segment. */

		if (skb_pagelen(gso_skb) - sizeof(*uh) == skb_shinfo(gso_skb)->gso_size)
@@ -291,10 +307,6 @@ struct sk_buff *__udp_gso_segment(struct sk_buff *gso_skb, 
						  ip_hdr(gso_skb)->daddr, 0);

	}



	mss = skb_shinfo(gso_skb)->gso_size;

	if (gso_skb->len <= sizeof(*uh) + mss)

		return ERR_PTR(-EINVAL);



	skb_pull(gso_skb, sizeof(*uh));



	/* clear destructor to avoid skb_segment assigning it to tail */