ipv6: avoid overflow of offset in ip6_find_1stfragopt

commit 6399f1fae4ec29fab5ec76070435555e256ca3a6 upstream.

In some cases, offset can overflow and can cause an infinite loop in
ip6_find_1stfragopt(). Make it unsigned int to prevent the overflow, and
cap it at IPV6_MAXPLEN, since packets larger than that should be invalid.

This problem has been here since before the beginning of git history.

Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c
index 0fcaf38006f93f2f8346a16fae6c40d8d5a3fa24..19f9a4a339b5316c01230878006f11390495c47c 100644 (file)
--- a/net/ipv6/output_core.c
+++ b/net/ipv6/output_core.c
@@ -44,7 +44,7 @@ EXPORT_SYMBOL_GPL(ipv6_proxy_select_ident);
 
 int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
 {
-       u16 offset = sizeof(struct ipv6hdr);
+       unsigned int offset = sizeof(struct ipv6hdr);
        unsigned int packet_len = skb_tail_pointer(skb) -
                skb_network_header(skb);
        int found_rhdr = 0;
@@ -52,6 +52,7 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
 
        while (offset <= packet_len) {
                struct ipv6_opt_hdr *exthdr;
+               unsigned int len;
 
                switch (**nexthdr) {
 
@@ -77,7 +78,10 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
 
                exthdr = (struct ipv6_opt_hdr *)(skb_network_header(skb) +
                                                 offset);
-               offset += ipv6_optlen(exthdr);
+               len = ipv6_optlen(exthdr);
+               if (len + offset >= IPV6_MAXPLEN)
+                       return -EINVAL;
+               offset += len;
                *nexthdr = &exthdr->nexthdr;
        }