releases/4.4.11/gre-do-not-pull-header-in-icmp-error-processing.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From foo@baz Mon May 16 11:21:32 PDT 2016
 From: Jiri Benc <jbenc@redhat.com>
 Date: Fri, 29 Apr 2016 23:31:32 +0200
 Subject: gre: do not pull header in ICMP error processing

 From: Jiri Benc <jbenc@redhat.com>

 [ Upstream commit b7f8fe251e4609e2a437bd2c2dea01e61db6849c ]

 iptunnel_pull_header expects that IP header was already pulled; with this
 expectation, it pulls the tunnel header. This is not true in gre_err.
 Furthermore, ipv4_update_pmtu and ipv4_redirect expect that skb->data points
 to the IP header.

 We cannot pull the tunnel header in this path. It's just a matter of not
 calling iptunnel_pull_header - we don't need any of its effects.

 Fixes: bda7bb463436 ("gre: Allow multiple protocol listener for gre protocol.")
 Signed-off-by: Jiri Benc <jbenc@redhat.com>
 Signed-off-by: David S. Miller <davem@davemloft.net>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 ---
  net/ipv4/ip_gre.c |   11 ++++++++---
  1 file changed, 8 insertions(+), 3 deletions(-)

 --- a/net/ipv4/ip_gre.c
 +++ b/net/ipv4/ip_gre.c
 @@ -180,6 +180,7 @@ static __be16 tnl_flags_to_gre_flags(__b
  	return flags;
  }

 +/* Fills in tpi and returns header length to be pulled. */
  static int parse_gre_header(struct sk_buff *skb, struct tnl_ptk_info *tpi,
  			    bool *csum_err)
  {
 @@ -239,7 +240,7 @@ static int parse_gre_header(struct sk_bu
  				return -EINVAL;
  		}
  	}
 -	return iptunnel_pull_header(skb, hdr_len, tpi->proto);
 +	return hdr_len;
  }

  static void ipgre_err(struct sk_buff *skb, u32 info,
 @@ -342,7 +343,7 @@ static void gre_err(struct sk_buff *skb,
  	struct tnl_ptk_info tpi;
  	bool csum_err = false;

 -	if (parse_gre_header(skb, &tpi, &csum_err)) {
 +	if (parse_gre_header(skb, &tpi, &csum_err) < 0) {
  		if (!csum_err)		/* ignore csum errors. */
  			return;
  	}
 @@ -420,6 +421,7 @@ static int gre_rcv(struct sk_buff *skb)
  {
  	struct tnl_ptk_info tpi;
  	bool csum_err = false;
 +	int hdr_len;

  #ifdef CONFIG_NET_IPGRE_BROADCAST
  	if (ipv4_is_multicast(ip_hdr(skb)->daddr)) {
 @@ -429,7 +431,10 @@ static int gre_rcv(struct sk_buff *skb)
  	}
  #endif

 -	if (parse_gre_header(skb, &tpi, &csum_err) < 0)
 +	hdr_len = parse_gre_header(skb, &tpi, &csum_err);
 +	if (hdr_len < 0)
 +		goto drop;
 +	if (iptunnel_pull_header(skb, hdr_len, tpi.proto) < 0)
  		goto drop;

  	if (ipgre_rcv(skb, &tpi) == PACKET_RCVD)
	From foo@baz Mon May 16 11:21:32 PDT 2016
	From: Jiri Benc <jbenc@redhat.com>
	Date: Fri, 29 Apr 2016 23:31:32 +0200
	Subject: gre: do not pull header in ICMP error processing

	From: Jiri Benc <jbenc@redhat.com>

	[ Upstream commit b7f8fe251e4609e2a437bd2c2dea01e61db6849c ]

	iptunnel_pull_header expects that IP header was already pulled; with this
	expectation, it pulls the tunnel header. This is not true in gre_err.
	Furthermore, ipv4_update_pmtu and ipv4_redirect expect that skb->data points
	to the IP header.

	We cannot pull the tunnel header in this path. It's just a matter of not
	calling iptunnel_pull_header - we don't need any of its effects.

	Fixes: bda7bb463436 ("gre: Allow multiple protocol listener for gre protocol.")
	Signed-off-by: Jiri Benc <jbenc@redhat.com>
	Signed-off-by: David S. Miller <davem@davemloft.net>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	---
	net/ipv4/ip_gre.c \| 11 ++++++++---
	1 file changed, 8 insertions(+), 3 deletions(-)

	--- a/net/ipv4/ip_gre.c
	+++ b/net/ipv4/ip_gre.c
	@@ -180,6 +180,7 @@ static __be16 tnl_flags_to_gre_flags(__b
	return flags;
	}

	+/* Fills in tpi and returns header length to be pulled. */
	static int parse_gre_header(struct sk_buff skb, struct tnl_ptk_info tpi,
	bool *csum_err)
	{
	@@ -239,7 +240,7 @@ static int parse_gre_header(struct sk_bu
	return -EINVAL;
	}
	}
	- return iptunnel_pull_header(skb, hdr_len, tpi->proto);
	+ return hdr_len;
	}

	static void ipgre_err(struct sk_buff *skb, u32 info,
	@@ -342,7 +343,7 @@ static void gre_err(struct sk_buff *skb,
	struct tnl_ptk_info tpi;
	bool csum_err = false;

	- if (parse_gre_header(skb, &tpi, &csum_err)) {
	+ if (parse_gre_header(skb, &tpi, &csum_err) < 0) {
	if (!csum_err) /* ignore csum errors. */
	return;
	}
	@@ -420,6 +421,7 @@ static int gre_rcv(struct sk_buff *skb)
	{
	struct tnl_ptk_info tpi;
	bool csum_err = false;
	+ int hdr_len;

	#ifdef CONFIG_NET_IPGRE_BROADCAST
	if (ipv4_is_multicast(ip_hdr(skb)->daddr)) {
	@@ -429,7 +431,10 @@ static int gre_rcv(struct sk_buff *skb)
	}
	#endif

	- if (parse_gre_header(skb, &tpi, &csum_err) < 0)
	+ hdr_len = parse_gre_header(skb, &tpi, &csum_err);
	+ if (hdr_len < 0)
	+ goto drop;
	+ if (iptunnel_pull_header(skb, hdr_len, tpi.proto) < 0)
	goto drop;

	if (ipgre_rcv(skb, &tpi) == PACKET_RCVD)