diff mbox series

ipv6: raw: Deduct extension header length in rawv6_push_pending_frames

Message ID Y7y4Wsfjm0G7kUBm@gondor.apana.org.au (mailing list archive)
State Accepted
Commit cb3e9864cdbe35ff6378966660edbcbac955fe17
Delegated to: Netdev Maintainers
Headers show
Series ipv6: raw: Deduct extension header length in rawv6_push_pending_frames | expand

Checks

Context Check Description
netdev/tree_selection success Guessed tree name to be net-next
netdev/fixes_present success Fixes tag not required for -next series
netdev/subject_prefix warning Target tree name not specified in the subject
netdev/cover_letter success Single patches do not need cover letters
netdev/patch_count success Link
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 0 this patch: 0
netdev/cc_maintainers success CCed 8 of 8 maintainers
netdev/build_clang success Errors and warnings before: 0 this patch: 0
netdev/module_param success Was 0 now: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 0 this patch: 0
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 16 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Herbert Xu Jan. 10, 2023, 12:59 a.m. UTC 
On Mon, Jan 09, 2023 at 11:08:08AM +0100, Eric Dumazet wrote:
>
> Kyle posted one in https://lore.kernel.org/netdev/Y7s%2FFofVXLwoVgWt@westworld/

Thanks for the link!

It looks like I didn't think about extension headers in the original
patch.

---8<---
The total cork length created by ip6_append_data includes extension
headers, so we must exclude them when comparing them against the
IPV6_CHECKSUM offset which does not include extension headers.

Reported-by: Kyle Zeng <zengyhkyle@gmail.com>
Fixes: 357b40a18b04 ("[IPV6]: IPV6_CHECKSUM socket option can corrupt kernel memory")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

Comments

patchwork-bot+netdevbpf@kernel.org Jan. 11, 2023, 12:50 p.m. UTC | #1 
Hello:

This patch was applied to netdev/net.git (master)
by David S. Miller <davem@davemloft.net>:

On Tue, 10 Jan 2023 08:59:06 +0800 you wrote:
> On Mon, Jan 09, 2023 at 11:08:08AM +0100, Eric Dumazet wrote:
> >
> > Kyle posted one in https://lore.kernel.org/netdev/Y7s%2FFofVXLwoVgWt@westworld/
> 
> Thanks for the link!
> 
> It looks like I didn't think about extension headers in the original
> patch.
> 
> [...]

Here is the summary with links:
  - ipv6: raw: Deduct extension header length in rawv6_push_pending_frames
    https://git.kernel.org/netdev/net/c/cb3e9864cdbe

You are awesome, thank you!
diff mbox series

Patch

diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
index c51d5ce3711c..c68020b8de89 100644
--- a/net/ipv6/raw.c
+++ b/net/ipv6/raw.c
@@ -539,6 +539,7 @@  static int rawv6_recvmsg(struct sock *sk, struct msghdr *msg, size_t len,
 static int rawv6_push_pending_frames(struct sock *sk, struct flowi6 *fl6,
 				     struct raw6_sock *rp)
 {
+	struct ipv6_txoptions *opt;
 	struct sk_buff *skb;
 	int err = 0;
 	int offset;
@@ -556,6 +557,9 @@  static int rawv6_push_pending_frames(struct sock *sk, struct flowi6 *fl6,
 
 	offset = rp->offset;
 	total_len = inet_sk(sk)->cork.base.length;
+	opt = inet6_sk(sk)->cork.opt;
+	total_len -= opt ? opt->opt_flen : 0;
+
 	if (offset >= total_len - 1) {
 		err = -EINVAL;
 		ip6_flush_pending_frames(sk);