!5530 net: Fix CVE-2024-26641 (dc5f5974) · Commits · EulixOS / Software / Kernel

net/ipv6/ip6_tunnel.c

+19 −9

Original line number	Diff line number	Diff line
		@@ -829,9 +829,8 @@ static int __ip6_tnl_rcv(struct ip6_tnl tunnel, struct sk_buff skb,
		struct sk_buff *skb),
		bool log_ecn_err)
		{
		struct pcpu_sw_netstats *tstats;
		const struct ipv6hdr *ipv6h = ipv6_hdr(skb);
		int err;
		const struct ipv6hdr *ipv6h;
		int nh, err;

		if ((!(tpi->flags & TUNNEL_CSUM) &&
		(tunnel->parms.i_flags & TUNNEL_CSUM)) \|\|
		@@ -863,14 +862,29 @@ static int __ip6_tnl_rcv(struct ip6_tnl tunnel, struct sk_buff skb,
		goto drop;
		}

		ipv6h = ipv6_hdr(skb);
		skb->protocol = eth_type_trans(skb, tunnel->dev);
		skb_postpull_rcsum(skb, eth_hdr(skb), ETH_HLEN);
		} else {
		skb->dev = tunnel->dev;
		}

		/* Save offset of outer header relative to skb->head,
		* because we are going to reset the network header to the inner header
		* and might change skb->head.
		*/
		nh = skb_network_header(skb) - skb->head;

		skb_reset_network_header(skb);

		if (!pskb_inet_may_pull(skb)) {
		DEV_STATS_INC(tunnel->dev, rx_length_errors);
		DEV_STATS_INC(tunnel->dev, rx_errors);
		goto drop;
		}

		/* Get the outer header. */
		ipv6h = (struct ipv6hdr *)(skb->head + nh);

		memset(skb->cb, 0, sizeof(struct inet6_skb_parm));

		__skb_tunnel_rx(skb, tunnel->dev, tunnel->net);
		@@ -888,11 +902,7 @@ static int __ip6_tnl_rcv(struct ip6_tnl tunnel, struct sk_buff skb,
		}
		}

		tstats = this_cpu_ptr(tunnel->dev->tstats);
		u64_stats_update_begin(&tstats->syncp);
		tstats->rx_packets++;
		tstats->rx_bytes += skb->len;
		u64_stats_update_end(&tstats->syncp);
		dev_sw_netstats_rx_add(tunnel->dev, skb->len);

		skb_scrub_packet(skb, !net_eq(tunnel->net, dev_net(tunnel->dev)));