| commit | eed4511cb408f018fbc5c73b241a25d952e2ef20 | [log] [tgz] |
|---|---|---|
| author | Eric Dumazet <[email protected]> | Tue Sep 05 04:23:38 2023 +0000 |
| committer | Oleksandr Tymoshenko <[email protected]> | Fri Oct 20 20:42:40 2023 +0000 |
| tree | 2397245bba143fbb9e4147f627dcfc8faefbd7d2 | |
| parent | 77dd8477b7c52179bd0ccbbe009bd28c1ffd9149 [diff] |
igmp: limit igmpv3_newpack() packet size to IP_MAX_MTU
commit c3b704d4a4a265660e665df51b129e8425216ed1 upstream.
This is a follow up of commit 915d975b2ffa ("net: deal with integer
overflows in kmalloc_reserve()") based on David Laight feedback.
Back in 2010, I failed to realize malicious users could set dev->mtu
to arbitrary values. This mtu has been since limited to 0x7fffffff but
regardless of how big dev->mtu is, it makes no sense for igmpv3_newpack()
to allocate more than IP_MAX_MTU and risk various skb fields overflows.
BUG=b/306357801
TEST=presubmit
RELEASE_NOTE=Fixed CVE-2023-42752 in the Linux kernel.
cos-patch: security-moderate
Fixes: 57e1ab6eaddc ("igmp: refine skb allocations")
Link: https://lore.kernel.org/netdev/[email protected]/
Signed-off-by: Eric Dumazet <[email protected]>
Reported-by: David Laight <[email protected]>
Cc: Kyle Zeng <[email protected]>
Reviewed-by: Simon Horman <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Change-Id: I04ca8641dfe0d61b103a8ef941196ec9c837fb79
Reviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/59734
Reviewed-by: Arnav Kansal <[email protected]>
Tested-by: Cusky Presubmit Bot <[email protected]>