esp: Fix possible buffer overflow in ESP transformation

The maximum message size that can be send is bigger than the maximum site that skb_page_frag_refill can allocate. So it is possible to write beyond the allocated buffer. Fix this by doing a fallback to COW in that case. v2: Avoid get get_order() costs as suggested by Linus Torvalds. Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible") Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible") Reported-by: valis <sec@valis.email> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
author: Steffen Klassert <steffen.klassert@secunet.com> 2022-03-07 13:11:39 +0100
committer: Steffen Klassert <steffen.klassert@secunet.com> 2022-03-07 13:14:03 +0100
commit: ebe48d368e97d007bfeb76fcb065d6cfc4c96645 (patch)
tree: eaf068b3acda81ceaad0143fed5851d21a5e8bef /net/ipv6/esp6.c
parent: a3d9001b4e287fc043e5539d03d71a32ab114bcb (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
index 7591160edce1..b0ffbcd5432d 100644
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -482,6 +482,7 @@ int esp6_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info
 	struct page *page;
 	struct sk_buff *trailer;
 	int tailen = esp->tailen;
+	unsigned int allocsz;
 
 	if (x->encap) {
 		int err = esp6_output_encap(x, skb, esp);
@@ -490,6 +491,10 @@ int esp6_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info
 			return err;
 	}
 
+	allocsz = ALIGN(skb->data_len + tailen, L1_CACHE_BYTES);
+	if (allocsz > ESP_SKB_FRAG_MAXSIZE)
+		goto cow;
+
 	if (!skb_cloned(skb)) {
 		if (tailen <= skb_tailroom(skb)) {
 			nfrags = 1;
author	Steffen Klassert <steffen.klassert@secunet.com>	2022-03-07 13:11:39 +0100
committer	Steffen Klassert <steffen.klassert@secunet.com>	2022-03-07 13:14:03 +0100
commit	ebe48d368e97d007bfeb76fcb065d6cfc4c96645 (patch)
tree	eaf068b3acda81ceaad0143fed5851d21a5e8bef /net/ipv6/esp6.c
parent	a3d9001b4e287fc043e5539d03d71a32ab114bcb (diff)