release/5.2.47/vxlan-Avoid-infinite-loop-when-suppressing-NS-messag.patch - pub/scm/linux/kernel/git/paulg/longterm-queue-5.2 - Git at Google

 From aeb7a6c1a93315acb218c9190f2ffa08be205811 Mon Sep 17 00:00:00 2001
 From: Ido Schimmel <idosch@mellanox.com>
 Date: Mon, 1 Jun 2020 15:58:55 +0300
 Subject: [PATCH] vxlan: Avoid infinite loop when suppressing NS messages with
  invalid options

 commit 8066e6b449e050675df48e7c4b16c29f00507ff0 upstream.

 When proxy mode is enabled the vxlan device might reply to Neighbor
 Solicitation (NS) messages on behalf of remote hosts.

 In case the NS message includes the "Source link-layer address" option
 [1], the vxlan device will use the specified address as the link-layer
 destination address in its reply.

 To avoid an infinite loop, break out of the options parsing loop when
 encountering an option with length zero and disregard the NS message.

 This is consistent with the IPv6 ndisc code and RFC 4886 which states
 that "Nodes MUST silently discard an ND packet that contains an option
 with length zero" [2].

 [1] https://tools.ietf.org/html/rfc4861#section-4.3
 [2] https://tools.ietf.org/html/rfc4861#section-4.6

 Fixes: 4b29dba9c085 ("vxlan: fix nonfunctional neigh_reduce()")
 Signed-off-by: Ido Schimmel <idosch@mellanox.com>
 Acked-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
 Signed-off-by: David S. Miller <davem@davemloft.net>
 Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

 diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
 index 148d41b4ccc3..f6c3030e282f 100644
 --- a/drivers/net/vxlan.c
 +++ b/drivers/net/vxlan.c
 @@ -1910,6 +1910,10 @@ static struct sk_buff *vxlan_na_create(struct sk_buff *request,
  	ns_olen = request->len - skb_network_offset(request) -
  		sizeof(struct ipv6hdr) - sizeof(*ns);
  	for (i = 0; i < ns_olen-1; i += (ns->opt[i+1]<<3)) {
 +		if (!ns->opt[i + 1]) {
 +			kfree_skb(reply);
 +			return NULL;
 +		}
  		if (ns->opt[i] == ND_OPT_SOURCE_LL_ADDR) {
  			daddr = ns->opt + i + sizeof(struct nd_opt_hdr);
  			break;
 --
 2.27.0
	From aeb7a6c1a93315acb218c9190f2ffa08be205811 Mon Sep 17 00:00:00 2001
	From: Ido Schimmel <idosch@mellanox.com>
	Date: Mon, 1 Jun 2020 15:58:55 +0300
	Subject: [PATCH] vxlan: Avoid infinite loop when suppressing NS messages with
	invalid options

	commit 8066e6b449e050675df48e7c4b16c29f00507ff0 upstream.

	When proxy mode is enabled the vxlan device might reply to Neighbor
	Solicitation (NS) messages on behalf of remote hosts.

	In case the NS message includes the "Source link-layer address" option
	[1], the vxlan device will use the specified address as the link-layer
	destination address in its reply.

	To avoid an infinite loop, break out of the options parsing loop when
	encountering an option with length zero and disregard the NS message.

	This is consistent with the IPv6 ndisc code and RFC 4886 which states
	that "Nodes MUST silently discard an ND packet that contains an option
	with length zero" [2].

	[1] https://tools.ietf.org/html/rfc4861#section-4.3
	[2] https://tools.ietf.org/html/rfc4861#section-4.6

	Fixes: 4b29dba9c085 ("vxlan: fix nonfunctional neigh_reduce()")
	Signed-off-by: Ido Schimmel <idosch@mellanox.com>
	Acked-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
	Signed-off-by: David S. Miller <davem@davemloft.net>
	Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

	diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
	index 148d41b4ccc3..f6c3030e282f 100644
	--- a/drivers/net/vxlan.c
	+++ b/drivers/net/vxlan.c
	@@ -1910,6 +1910,10 @@ static struct sk_buff vxlan_na_create(struct sk_buff request,
	ns_olen = request->len - skb_network_offset(request) -
	sizeof(struct ipv6hdr) - sizeof(*ns);
	for (i = 0; i < ns_olen-1; i += (ns->opt[i+1]<<3)) {
	+ if (!ns->opt[i + 1]) {
	+ kfree_skb(reply);
	+ return NULL;
	+ }
	if (ns->opt[i] == ND_OPT_SOURCE_LL_ADDR) {
	daddr = ns->opt + i + sizeof(struct nd_opt_hdr);
	break;
	--
	2.27.0