Re: [PATCH net 1/2] ip_tunnel: Fix a memory corruption in ip_tunnel_xmit

[PATCH net 1/2] ip_tunnel: Fix a memory corruption in ip_tunnel_xmit · Steffen Klassert <steffen.klassert@secunet.com> · 2013-09-25
[PATCH net 2/2] ip_tunnel: Add fallback tunnels to the hash lists · Steffen Klassert <steffen.klassert@secunet.com> · 2013-09-25
Re: [PATCH net 2/2] ip_tunnel: Add fallback tunnels to the hash lists · Pravin Shelar <hidden> · 2013-09-25
Re: [PATCH net 2/2] ip_tunnel: Add fallback tunnels to the hash lists · Steffen Klassert <steffen.klassert@secunet.com> · 2013-09-26
Re: [PATCH net 2/2] ip_tunnel: Add fallback tunnels to the hash lists · Pravin Shelar <hidden> · 2013-09-26
Re: [PATCH net 2/2] ip_tunnel: Add fallback tunnels to the hash lists · Steffen Klassert <steffen.klassert@secunet.com> · 2013-09-27
Re: [PATCH net 2/2] ip_tunnel: Add fallback tunnels to the hash lists · Pravin Shelar <hidden> · 2013-09-28
Re: [PATCH net 1/2] ip_tunnel: Fix a memory corruption in ip_tunnel_xmit · Eric Dumazet <hidden> · 2013-09-25
Re: [PATCH net 1/2] ip_tunnel: Fix a memory corruption in ip_tunnel_xmit · Steffen Klassert <steffen.klassert@secunet.com> · 2013-09-25
Re: [PATCH net 1/2] ip_tunnel: Fix a memory corruption in ip_tunnel_xmit · Eric Dumazet <hidden> · 2013-09-25
Re: [PATCH net 1/2] ip_tunnel: Fix a memory corruption in ip_tunnel_xmit · Pravin Shelar <hidden> · 2013-09-25
Re: [PATCH net 1/2] ip_tunnel: Fix a memory corruption in ip_tunnel_xmit · Steffen Klassert <steffen.klassert@secunet.com> · 2013-09-26
Re: [PATCH net 1/2] ip_tunnel: Fix a memory corruption in ip_tunnel_xmit · Pravin Shelar <hidden> · 2013-09-26
Re: [PATCH net 1/2] ip_tunnel: Fix a memory corruption in ip_tunnel_xmit · Steffen Klassert <steffen.klassert@secunet.com> · 2013-09-27
Re: [PATCH net 1/2] ip_tunnel: Fix a memory corruption in ip_tunnel_xmit · Pravin Shelar <hidden> · 2013-09-28
Re: [PATCH net 1/2] ip_tunnel: Fix a memory corruption in ip_tunnel_xmit · David Miller <davem@davemloft.net> · 2013-09-30
Re: [PATCH net 1/2] ip_tunnel: Fix a memory corruption in ip_tunnel_xmit · Steffen Klassert <steffen.klassert@secunet.com> · 2013-10-01

From: Steffen Klassert <steffen.klassert@secunet.com>
Date: 2013-09-26 08:25:55

On Wed, Sep 25, 2013 at 09:55:50AM -0700, Pravin Shelar wrote:

On Tue, Sep 24, 2013 at 10:54 PM, Steffen Klassert
[off-list ref] wrote:

quoted

We might extend the used aera of a skb beyond the total
headroom when we install the ipip header. Fix this by
calling skb_cow_head() unconditionally.

It is better to call skb_cow_head() from ipip_tunnel_xmit() as it is
consistent with gre.

I think this would just move the bug from ipip to gre. ipgre_xmit()
uses dev->needed_headroom which is based on the guessed output device
in ip_tunnel_bind_dev(). If the device we get from the route lookup
in ip_tunnel_xmit() is different from the guessed one and the resulting
max_headroom is bigger than dev->needed_headroom, we run into that bug
because skb_cow_head() will not be called with the updated
dev->needed_headroom.

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help