From patchwork Tue Jun 19 23:44:06 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Scott X-Patchwork-Id: 10475641 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 28E8F60230 for ; Tue, 19 Jun 2018 23:45:43 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1B2D328C77 for ; Tue, 19 Jun 2018 23:45:43 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 0F59828C85; Tue, 19 Jun 2018 23:45:43 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A086128C77 for ; Tue, 19 Jun 2018 23:45:42 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752699AbeFSXpl (ORCPT ); Tue, 19 Jun 2018 19:45:41 -0400 Received: from mail-oi0-f66.google.com ([209.85.218.66]:46252 "EHLO mail-oi0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752703AbeFSXpe (ORCPT ); Tue, 19 Jun 2018 19:45:34 -0400 Received: by mail-oi0-f66.google.com with SMTP id h79-v6so1354264oig.13 for ; Tue, 19 Jun 2018 16:45:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=opensourcefoundries-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id; bh=Pw36kANzBzVFCceN2ShrfOSf6hSA5sBqGzJvCDRzaKY=; b=AAEjP0oEmUfluG+DMWeAha0+wW1fKc45bVO9Pooy5XmN9/6Awo5UCj+El301XpDNHV 6zupIpZyuV9nzbuMT5nXhD21V7RaTbsHZxKsobJtTBkeUfSHuHomT45EuVOWx5I23s/s jjfXofxhkONpY2Q3//fjtFG42hGtB0HaTkZflukOqtkv8zZ2WwOfZKuYksKO48gJ2zSQ 4ermjzp1K+kil5OXn3tHYcZ83QTu7SBwSliuhmthgMtkpwK2AbxyXiSXkA1XjOVFhAeW NOpY0yNo4NmcISymUJHMZ1/0lRS3iYYNHxtDpUoC5sV/UDOCQoI0pxQfXKx50O0rIGl2 GFOA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=Pw36kANzBzVFCceN2ShrfOSf6hSA5sBqGzJvCDRzaKY=; b=h6RXtWtuZqx/x7KpMThtNmAyOUikoruG/IBRxDr//HEhKfsGB1oVnh3e6s1e0HLRFH FZWW52V7mv2szRRoMNvn270UhNfBPYGNhx3i5KoPsn4umEEx0V2CW18OOBlN0toQTKa6 wBFCntXQI/aM2FX2idOWJgk6aX/y801h31sw+f115kM4WDeBcpIOnWbxMlP+eBOF9vjq GJJfd9z84RwR+jT9Z80TwTwtcuXod3KpwrD5N9htB+ESnOTJX7BKWKlhRSeiwWG23yZq UAM2ZAsia0mxWduzBpnrM79/1kwQHbo/pZAB2vnZfm3IeEg+T6i5yYzjJia8zbNhhs3f C7oA== X-Gm-Message-State: APt69E0Ju39Tsn+9SzKgtM3JQIELEXvl1NVy99pZkbcAs3eny6zhUB08 7IF1LQKqzAuMgUaaEoae/0HPXw== X-Google-Smtp-Source: ADUXVKKDVjrw3bPM0TL7RSUp5lZZW0kvrDKENc4C/g54FK5TgbcgDxhnZUn2fSj56GDwGj6HR8N5Sg== X-Received: by 2002:aca:a9c8:: with SMTP id s191-v6mr10143491oie.314.1529451933700; Tue, 19 Jun 2018 16:45:33 -0700 (PDT) Received: from localhost.localdomain (107-198-5-8.lightspeed.irvnca.sbcglobal.net. [107.198.5.8]) by smtp.googlemail.com with ESMTPSA id u35-v6sm575420otc.27.2018.06.19.16.45.32 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 19 Jun 2018 16:45:33 -0700 (PDT) From: Michael Scott Cc: Michael Scott , Alexander Aring , Jukka Rissanen , "David S. Miller" , linux-bluetooth@vger.kernel.org, linux-wpan@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] 6lowpan: iphc: reset mac_header after decompress to fix panic Date: Tue, 19 Jun 2018 16:44:06 -0700 Message-Id: <20180619234406.8217-1-michael@opensourcefoundries.com> X-Mailer: git-send-email 2.17.0 To: unlisted-recipients:; (no To-header on input) Sender: linux-wpan-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wpan@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP After decompression of 6lowpan socket data, an IPv6 header is inserted before the existing socket payload. After this, we reset the network_header value of the skb to account for the difference in payload size from prior to decompression + the addition of the IPv6 header. However, we fail to reset the mac_header value. Leaving the mac_header value untouched here, can cause a calculation error in net/packet/af_packet.c packet_rcv() function when an AF_PACKET socket is opened in SOCK_RAW mode for use on a 6lowpan interface. On line 2088, the data pointer is moved backward by the value returned from skb_mac_header(). If skb->data is adjusted so that it is before the skb->head pointer (which can happen when an old value of mac_header is left in place) the kernel generates a panic in net/core/skbuff.c line 1717. This panic can be generated by BLE 6lowpan interfaces (such as bt0) and 802.15.4 interfaces (such as lowpan0) as they both use the same 6lowpan sources for compression and decompression. Signed-off-by: Michael Scott Acked-by: Alexander Aring Acked-by: Jukka Rissanen Acked-by: Stefan Schmidt --- net/6lowpan/iphc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/6lowpan/iphc.c b/net/6lowpan/iphc.c index 6b1042e21656..52fad5dad9f7 100644 --- a/net/6lowpan/iphc.c +++ b/net/6lowpan/iphc.c @@ -770,6 +770,7 @@ int lowpan_header_decompress(struct sk_buff *skb, const struct net_device *dev, hdr.hop_limit, &hdr.daddr); skb_push(skb, sizeof(hdr)); + skb_reset_mac_header(skb); skb_reset_network_header(skb); skb_copy_to_linear_data(skb, &hdr, sizeof(hdr));