From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from shards.monkeyblade.net (shards.monkeyblade.net [IPv6:2620:137:e000::1:9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id 4995C3B29E for ; Tue, 7 Jul 2020 18:49:13 -0400 (EDT) Received: from localhost (unknown [IPv6:2601:601:9f00:477::3d5]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) (Authenticated sender: davem-davemloft) by shards.monkeyblade.net (Postfix) with ESMTPSA id B24BA120F19EC; Tue, 7 Jul 2020 15:49:10 -0700 (PDT) Date: Tue, 07 Jul 2020 15:49:10 -0700 (PDT) Message-Id: <20200707.154910.182089612829642491.davem@davemloft.net> To: toke@redhat.com Cc: netdev@vger.kernel.org, cake@lists.bufferbloat.net, dcaratti@redhat.com, jiri@resnulli.us, jhs@mojatatu.com, xiyou.wangcong@gmail.com, toshiaki.makita1@gmail.com, daniel@iogearbox.net From: David Miller In-Reply-To: <20200707110325.86731-1-toke@redhat.com> References: <20200707110325.86731-1-toke@redhat.com> X-Mailer: Mew version 6.8 on Emacs 26.3 Mime-Version: 1.0 Content-Type: Text/Plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.5.12 (shards.monkeyblade.net [149.20.54.216]); Tue, 07 Jul 2020 15:49:11 -0700 (PDT) Subject: Re: [Cake] [PATCH net v2] vlan: consolidate VLAN parsing code and limit max parsing depth X-BeenThere: cake@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: Cake - FQ_codel the next generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Jul 2020 22:49:13 -0000 From: Toke H=F8iland-J=F8rgensen Date: Tue, 7 Jul 2020 13:03:25 +0200 > Toshiaki pointed out that we now have two very similar functions to e= xtract > the L3 protocol number in the presence of VLAN tags. And Daniel point= ed out > that the unbounded parsing loop makes it possible for maliciously cra= fted > packets to loop through potentially hundreds of tags. > = > Fix both of these issues by consolidating the two parsing functions a= nd > limiting the VLAN tag parsing to a max depth of 8 tags. As part of th= is, > switch over __vlan_get_protocol() to use skb_header_pointer() instead= of > pskb_may_pull(), to avoid the possible side effects of the latter and= keep > the skb pointer 'const' through all the parsing functions. > = > v2: > - Use limit of 8 tags instead of 32 (matching XMIT_RECURSION_LIMIT) > = > Reported-by: Toshiaki Makita > Reported-by: Daniel Borkmann > Fixes: d7bf2ebebc2b ("sched: consistently handle layer3 header access= es in the presence of VLANs") > Signed-off-by: Toke H=F8iland-J=F8rgensen Applied, thank you.