10 May
2016
10 May
'16
8:54 p.m.
On Mon, 2016-05-09 at 00:55 +0200, Pablo Neira Ayuso wrote:
+static int gtp1u_udp_encap_recv(struct gtp_dev *gtp, struct sk_buff *skb,
bool xnet)+{
- unsigned int hdrlen = sizeof(struct udphdr) +
sizeof(struct gtp1_header);- struct gtp1_header *gtp1;
- struct pdp_ctx *pctx;
- int ret = 0;
- if (!pskb_may_pull(skb, hdrlen))
return -1;- gtp1 = (struct gtp1_header *)(skb->data + sizeof(struct udphdr));
- if ((gtp1->flags >> 5) != GTP_V1)
return 1;- if (gtp1->type != GTP_TPDU)
return 1;- /* From 29.060: "This field shall be present if and only if any one or
* more of the S, PN and E flags are set.".** If any of the bit is set, then the remaining ones also have to be* set.*/- if (gtp1->flags & GTP1_F_MASK)
hdrlen += 4;- /* Make sure the header is larger enough, including extensions. */
- if (!pskb_may_pull(skb, hdrlen))
return -1;
You need to reload gtp1 here, as the previous pskb_may_pull() might have reallocated skb->head
- rcu_read_lock();
- pctx = gtp1_pdp_find(gtp, ntohl(gtp1->tid));
Or risk a use after free here.
- if (!pctx) {
netdev_dbg(gtp->dev, "No PDP ctx to decap skb=%p\n", skb);ret = -1;goto out_rcu;- }
- if (!gtp_check_src_ms(skb, pctx, hdrlen)) {
netdev_dbg(gtp->dev, "No PDP ctx for this MS\n");ret = -1;goto out_rcu;- }
- rcu_read_unlock();
- /* Get rid of the GTP + UDP headers. */
- return iptunnel_pull_header(skb, hdrlen, skb->protocol, xnet);
+out_rcu:
- rcu_read_unlock();
- return ret;
+}