diff options
| author | Sabrina Dubroca <sd@queasysnail.net> | 2016-12-14 13:24:55 +0100 |
|---|---|---|
| committer | Sasha Levin <alexander.levin@verizon.com> | 2016-12-23 08:56:36 -0500 |
| commit | fabaaaa96d54077b4a9f2c811e55dc09ff2874db (patch) | |
| tree | 09928dd285beca125e9420ec0e710cc342eb5d07 /drivers/net | |
| parent | 7abf32087c1dabacf707506585afc7b69aad21b3 (diff) | |
net: add recursion limit to GRO
[ Debian: net-add-recursion-limit-to-gro.patch ]
Currently, GRO can do unlimited recursion through the gro_receive
handlers. This was fixed for tunneling protocols by limiting tunnel GRO
to one level with encap_mark, but both VLAN and TEB still have this
problem. Thus, the kernel is vulnerable to a stack overflow, if we
receive a packet composed entirely of VLAN headers.
This patch adds a recursion counter to the GRO layer to prevent stack
overflow. When a gro_receive function hits the recursion limit, GRO is
aborted for this skb and it is processed normally.
Thanks to Vladimír Beneš <vbenes@redhat.com> for the initial bug report.
Fixes: CVE-2016-7039
Fixes: 9b174d88c257 ("net: Add Transparent Ethernet Bridging GRO support.")
Fixes: 66e5133f19e9 ("vlan: Add GRO support for non hardware accelerated vlan")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Reviewed-by: Jiri Benc <jbenc@redhat.com>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: Philipp Hahn <hahn@univention.de>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Diffstat (limited to 'drivers/net')
| -rw-r--r-- | drivers/net/vxlan.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c index 940f78e41993..d9e873c3a273 100644 --- a/drivers/net/vxlan.c +++ b/drivers/net/vxlan.c @@ -635,7 +635,7 @@ static struct sk_buff **vxlan_gro_receive(struct sk_buff **head, } } - pp = eth_gro_receive(head, skb); + pp = call_gro_receive(eth_gro_receive, head, skb); out: skb_gro_remcsum_cleanup(skb, &grc); |