• Stefano Brivio's avatar
    neighbour: Avoid writing before skb->head in neigh_hh_output() · 5873b2c7
    Stefano Brivio authored
    [ Upstream commit e6ac64d4c4d095085d7dd71cbd05704ac99829b2 ]
    
    While skb_push() makes the kernel panic if the skb headroom is less than
    the unaligned hardware header size, it will proceed normally in case we
    copy more than that because of alignment, and we'll silently corrupt
    adjacent slabs.
    
    In the case fixed by the previous patch,
    "ipv6: Check available headroom in ip6_xmit() even without options", we
    end up in neigh_hh_output() with 14 bytes headroom, 14 bytes hardware
    header and write 16 bytes, starting 2 bytes before the allocated buffer.
    
    Always check we're not writing before skb->head and, if the headroom is
    not enough, warn and drop the packet.
    
    v2:
     - instead of panicking with BUG_ON(), WARN_ON_ONCE() and drop the packet
       (Eric Dumazet)
     - if we avoid the panic, though, we need to explicitly check the headroom
       before the memcpy(), otherwise we'll have corrupted slabs on a running
       kernel, after we warn
     - use __skb_push() instead of skb_push(), as the headroom check is
       already implemented here explicitly (Eric Dumazet)
    Signed-off-by: 's avatarStefano Brivio <sbrivio@redhat.com>
    Signed-off-by: 's avatarDavid S. Miller <davem@davemloft.net>
    Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    5873b2c7
Name
Last commit
Last update
..
acpi Loading commit data...
asm-generic Loading commit data...
clocksource Loading commit data...
crypto Loading commit data...
drm Loading commit data...
dt-bindings Loading commit data...
keys Loading commit data...
kvm Loading commit data...
linux Loading commit data...
math-emu Loading commit data...
media Loading commit data...
memory Loading commit data...
misc Loading commit data...
net Loading commit data...
pcmcia Loading commit data...
ras Loading commit data...
rdma Loading commit data...
rxrpc Loading commit data...
scsi Loading commit data...
soc Loading commit data...
sound Loading commit data...
target Loading commit data...
trace Loading commit data...
uapi Loading commit data...
video Loading commit data...
xen Loading commit data...
Kbuild Loading commit data...