path: root/net/ipv6/ip6_output.c
diff options
authorHannes Frederic Sowa <>2015-10-16 11:32:43 +0200
committerDavid S. Miller <>2015-10-23 02:49:36 -0700
commitb72a2b01b686f242028038f630555513c9e4de38 (patch)
tree00351145ca8f839024370cf1909358845357bf3a /net/ipv6/ip6_output.c
parent79907146fb5b1778035870db895fb2bf64061284 (diff)
ipv6: protect mtu calculation of wrap-around and infinite loop by rounding issues
Raw sockets with hdrincl enabled can insert ipv6 extension headers right into the data stream. In case we need to fragment those packets, we reparse the options header to find the place where we can insert the fragment header. If the extension headers exceed the link's MTU we actually cannot make progress in such a case. Instead of ending up in broken arithmetic or rounding towards 0 and entering an endless loop in ip6_fragment, just prevent those cases by aborting early and signal -EMSGSIZE to user space. Reported-by: Dmitry Vyukov <> Cc: Dmitry Vyukov <> Signed-off-by: Hannes Frederic Sowa <> Signed-off-by: David S. Miller <>
Diffstat (limited to 'net/ipv6/ip6_output.c')
1 files changed, 5 insertions, 1 deletions
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index d03d6da772f3..8dddb45c433e 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -28,6 +28,7 @@
#include <linux/errno.h>
#include <linux/kernel.h>
+#include <linux/overflow-arith.h>
#include <linux/string.h>
#include <linux/socket.h>
#include <linux/net.h>
@@ -584,7 +585,10 @@ int ip6_fragment(struct sock *sk, struct sk_buff *skb,
if (np->frag_size)
mtu = np->frag_size;
- mtu -= hlen + sizeof(struct frag_hdr);
+ if (overflow_usub(mtu, hlen + sizeof(struct frag_hdr), &mtu) ||
+ mtu <= 7)
+ goto fail_toobig;
frag_id = ipv6_select_ident(net, &ipv6_hdr(skb)->daddr,