Potential fix for vrouter kernel module crash due to skbuf corruption

Support IPv6 MSS adjust, fixing pulllen and header refresh after skb_may_pull Change-Id: Ibd9d1383d338a43e3fdb315471c7b3bcb78a130f
Juniper · Oct 16, 2014 · 4224f76 · 4224f76
1 parent 350af1e
commit 4224f76
Showing 1 changed file with 22 additions and 9 deletions.
diff --git a/linux/vrouter_mod.c b/linux/vrouter_mod.c
@@ -772,7 +772,7 @@ static int
 lh_pkt_from_vm_tcp_mss_adj(struct vr_packet *pkt, unsigned short overlay_len)
 {
     struct sk_buff *skb = vp_os_packet(pkt);
-    int hlen, pull_len, proto;
+    int hlen, pull_len, proto, opt_len = 0;
     struct vr_ip *iph;
     struct vr_ip6 *ip6h;
     struct tcphdr *tcph;
@@ -785,10 +785,23 @@ lh_pkt_from_vm_tcp_mss_adj(struct vr_packet *pkt, unsigned short overlay_len)
 
     pull_len = pkt->vp_data - (skb_headroom(skb));
 
+    /* Pull in ipv4 header-length */
+    pull_len += sizeof(struct vr_ip);
+
+    if (!pskb_may_pull(skb, pull_len)) {
+        return VP_DROP_PULL; 
+    }
+
+    iph = (struct vr_ip *) (skb->head + pkt->vp_data);
+
     if (vr_ip_is_ip6(iph)) {
 
-        ip6h = (struct vr_ip6 *)iph;
-        pull_len += sizeof(struct vr_ip6);
+        pull_len += (sizeof(struct vr_ip6) - sizeof(struct vr_ip));
+        if (!pskb_may_pull(skb, pull_len)) {
+            return VP_DROP_PULL;
+        }
+
+        ip6h = (struct vr_ip6 *) (skb->head + pkt->vp_data);
         proto = ip6h->ip6_nxt;
         hlen = sizeof(struct vr_ip6);
     } else {
@@ -799,25 +812,22 @@ lh_pkt_from_vm_tcp_mss_adj(struct vr_packet *pkt, unsigned short overlay_len)
             goto out;
         }
 
-        pull_len += sizeof(struct vr_ip);
         proto = iph->ip_proto;
         hlen = iph->ip_hl * 4;
-    }
-
-    if (!pskb_may_pull(skb, pull_len)) {
-        return VP_DROP_PULL; 
+        opt_len = hlen - sizeof(struct vr_ip);
     }
 
     if (proto != VR_IP_PROTO_TCP) {
         goto out;
     }
 
-    pull_len += sizeof(struct tcphdr);
+    pull_len += sizeof(struct tcphdr) + opt_len;
 
     if (!pskb_may_pull(skb, pull_len)) {
         return VP_DROP_PULL;
     }
 
+    iph = (struct vr_ip *) (skb->head + pkt->vp_data);
     tcph = (struct tcphdr *) ((char *) iph +  hlen);
 
     if ((tcph->doff << 2) <= (sizeof(struct tcphdr))) {
@@ -833,6 +843,9 @@ lh_pkt_from_vm_tcp_mss_adj(struct vr_packet *pkt, unsigned short overlay_len)
         return VP_DROP_PULL;
     }
 
+    iph = (struct vr_ip *) (skb->head + pkt->vp_data);
+    tcph = (struct tcphdr *) ((char *) iph +  hlen);
+
     lh_adjust_tcp_mss(tcph, skb, overlay_len, hlen);
 
 out: