Skip to content

Commit

Permalink
udp: prevent bugcheck if filter truncates packet too much
Browse files Browse the repository at this point in the history 
If socket filter truncates an udp packet below the length of UDP header
in udpv6_queue_rcv_skb() or udp_queue_rcv_skb(), it will trigger a
BUG_ON in skb_pull_rcsum(). This BUG_ON (and therefore a system crash if
kernel is configured that way) can be easily enforced by an unprivileged
user which was reported as CVE-2016-6162. For a reproducer, see
http://seclists.org/oss-sec/2016/q3/8

Fixes: e6afc8a ("udp: remove headers from UDP packets before queueing")
Reported-by: Marco Grassi <marco.gra@gmail.com>
Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
Acked-by: Eric Dumazet <edumazet@google.com>
Acked-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
  • Loading branch information
@mkubecek @davem330
mkubecek authored and davem330 committed Jul 11, 2016
1 parent f3ea311 commit a612769
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 0 deletions.
2 changes: 2 additions & 0 deletions net/ipv4/udp.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1583,6 +1583,8 @@ int udp_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)

if (sk_filter(sk, skb))
goto drop;
if (unlikely(skb->len < sizeof(struct udphdr)))
goto drop;

udp_csum_pull_header(skb);
if (sk_rcvqueues_full(sk, sk->sk_rcvbuf)) {
Expand Down
2 changes: 2 additions & 0 deletions net/ipv6/udp.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -620,6 +620,8 @@ int udpv6_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)

if (sk_filter(sk, skb))
goto drop;
if (unlikely(skb->len < sizeof(struct udphdr)))
goto drop;

udp_csum_pull_header(skb);
if (sk_rcvqueues_full(sk, sk->sk_rcvbuf)) {
Expand Down

0 comments on commit a612769

Please sign in to comment.