www.infradead.org Git - users/jedix/linux-maple.git/commit

author	Sabrina Dubroca <sd () queasysnail net>
	Tue, 11 Oct 2016 23:35:06 +0000 (19:35 -0400)
committer	Chuck Anderson <chuck.anderson@oracle.com>
	Thu, 13 Oct 2016 23:49:41 +0000 (16:49 -0700)
commit	7e0f0d2f6bf3127834e117162891fe1b4401a02e
tree	6704571f379af8dc201be0418822e2c51b96cd2c	tree
parent	d99dfed312ee8e3d6735baa5c1fe4744003f20eb	commit \| diff

net: add recursion limit to GRO

Orabug: 24829124
CVE: CVE-2016-7039

Currently, GRO can do unlimited recursion through the gro_receive
handlers.  This was fixed for tunneling protocols by limiting tunnel GRO
to one level with encap_mark, but both VLAN and TEB still have this
problem.  Thus, the kernel is vulnerable to a stack overflow, if we
receive a packet composed entirely of VLAN headers.

This patch adds a recursion counter to the GRO layer to prevent stack
overflow.  When a gro_receive function hits the recursion limit, GRO is
aborted for this skb and it is processed normally.

Fixes: 9b174d88c257 ("net: Add Transparent Ethernet Bridging GRO support.")
Fixes: 66e5133f19e9 ("vlan: Add GRO support for non hardware accelerated vlan")
Signed-off-by: Sabrina Dubroca <sd () queasysnail net>
Reviewed-by: Jiri Benc <jbenc () redhat com>
Acked-by: Hannes Frederic Sowa <hannes () stressinduktion org>
(cherry picked from commit e71f3b1fca2ae5d0ae9d9c1a02a93d52beaae322)

Signed-off-by: Brian Maly <brian.maly@oracle.com>

drivers/net/vxlan.c		diff \| blob \| history
include/linux/netdevice.h		diff \| blob \| history
net/core/dev.c		diff \| blob \| history
net/ethernet/eth.c		diff \| blob \| history
net/ipv4/af_inet.c		diff \| blob \| history
net/ipv4/fou.c		diff \| blob \| history
net/ipv4/geneve.c		diff \| blob \| history
net/ipv4/gre_offload.c		diff \| blob \| history
net/ipv4/udp_offload.c		diff \| blob \| history
net/ipv6/ip6_offload.c		diff \| blob \| history