gso: Ensure that the packet is long enough

When we get a GSO packet from an untrusted source, we need to
ensure that it is sufficiently long so that we don't end up
crashing.

Based on discovery and patch by Ian Campbell.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>

diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 0a4ed27f52554edd78f45c9d100ac470b439481a..a3a0c072813bdcee085b244ba9d220dc92eb00d8 100644 (file)
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -2153,7 +2153,7 @@ struct sk_buff *tcp_tso_segment(struct sk_buff *skb, int features)
        unsigned int seq;
        unsigned int delta;
        unsigned int oldlen;
-       unsigned int len;
+       unsigned int mss;
 
        if (!pskb_may_pull(skb, sizeof(*th)))
                goto out;
@@ -2169,10 +2169,13 @@ struct sk_buff *tcp_tso_segment(struct sk_buff *skb, int features)
        oldlen = (u16)~skb->len;
        __skb_pull(skb, thlen);
 
+       mss = skb_shinfo(skb)->gso_size;
+       if (unlikely(skb->len <= mss))
+               goto out;
+
        if (skb_gso_ok(skb, features | NETIF_F_GSO_ROBUST)) {
                /* Packet is from an untrusted source, reset gso_segs. */
                int type = skb_shinfo(skb)->gso_type;
-               int mss;
 
                if (unlikely(type &
                             ~(SKB_GSO_TCPV4 |
@@ -2183,7 +2186,6 @@ struct sk_buff *tcp_tso_segment(struct sk_buff *skb, int features)
                             !(type & (SKB_GSO_TCPV4 | SKB_GSO_TCPV6))))
                        goto out;
 
-               mss = skb_shinfo(skb)->gso_size;
                skb_shinfo(skb)->gso_segs = (skb->len + mss - 1) / mss;
 
                segs = NULL;
@@ -2194,8 +2196,7 @@ struct sk_buff *tcp_tso_segment(struct sk_buff *skb, int features)
        if (IS_ERR(segs))
                goto out;
 
-       len = skb_shinfo(skb)->gso_size;
-       delta = htonl(oldlen + (thlen + len));
+       delta = htonl(oldlen + (thlen + mss));
 
        skb = segs;
        th = skb->h.th;
@@ -2209,7 +2210,7 @@ struct sk_buff *tcp_tso_segment(struct sk_buff *skb, int features)
                        th->check = csum_fold(csum_partial(skb->h.raw, thlen,
                                                           skb->csum));
 
-               seq += len;
+               seq += mss;
                skb = skb->next;
                th = skb->h.th;