Commit 6f092343 authored by Jason Wang's avatar Jason Wang Committed by David S. Miller
Browse files

net: flow_dissector: fail on evil iph->ihl

We don't validate iph->ihl which may lead a dead loop if we meet a IPIP
skb whose iph->ihl is zero. Fix this by failing immediately when iph->ihl
is evil (less than 5).

This issue were introduced by commit ec5efe79

(rps: support IPIP encapsulation).

Cc: Eric Dumazet <>
Cc: Petr Matousek <>
Cc: Michael S. Tsirkin <>
Cc: Daniel Borkmann <>
Signed-off-by: default avatarJason Wang <>
Acked-by: default avatarEric Dumazet <>
Signed-off-by: default avatarDavid S. Miller <>
parent 2e19ef02
......@@ -40,7 +40,7 @@ bool skb_flow_dissect(const struct sk_buff *skb, struct flow_keys *flow)
struct iphdr _iph;
iph = skb_header_pointer(skb, nhoff, sizeof(_iph), &_iph);
if (!iph)
if (!iph || iph->ihl < 5)
return false;
if (ip_is_fragment(iph))
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment