fee4dfbda6
commit ebe48d368e97d007bfeb76fcb065d6cfc4c96645 upstream.
The maximum message size that can be send is bigger than
the maximum site that skb_page_frag_refill can allocate.
So it is possible to write beyond the allocated buffer.
Fix this by doing a fallback to COW in that case.
v2:
Avoid get get_order() costs as suggested by Linus Torvalds.
Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")
Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible")
Reported-by: valis <sec@valis.email>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Vaibhav Rustagi <vaibhavrustagi@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
36 lines
942 B
C
36 lines
942 B
C
/* SPDX-License-Identifier: GPL-2.0 */
|
|
#ifndef _NET_ESP_H
|
|
#define _NET_ESP_H
|
|
|
|
#include <linux/skbuff.h>
|
|
|
|
#define ESP_SKB_FRAG_MAXSIZE (PAGE_SIZE << SKB_FRAG_PAGE_ORDER)
|
|
|
|
struct ip_esp_hdr;
|
|
|
|
static inline struct ip_esp_hdr *ip_esp_hdr(const struct sk_buff *skb)
|
|
{
|
|
return (struct ip_esp_hdr *)skb_transport_header(skb);
|
|
}
|
|
|
|
struct esp_info {
|
|
struct ip_esp_hdr *esph;
|
|
__be64 seqno;
|
|
int tfclen;
|
|
int tailen;
|
|
int plen;
|
|
int clen;
|
|
int len;
|
|
int nfrags;
|
|
__u8 proto;
|
|
bool inplace;
|
|
};
|
|
|
|
int esp_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *esp);
|
|
int esp_output_tail(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *esp);
|
|
int esp_input_done2(struct sk_buff *skb, int err);
|
|
int esp6_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *esp);
|
|
int esp6_output_tail(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *esp);
|
|
int esp6_input_done2(struct sk_buff *skb, int err);
|
|
#endif
|