From: Toke Høiland-Jørgensen <t...@redhat.com>
Date: Tue, 7 Jul 2020 13:03:25 +0200
> Toshiaki pointed out that we now have two very similar functions to extract
> the L3 protocol number in the presence of VLAN tags. And Daniel pointed out
> that the unbounded parsing loop makes it possible for maliciously crafted
> packets to loop through potentially hundreds of tags.
>
> Fix both of these issues by consolidating the two parsing functions and
> limiting the VLAN tag parsing to a max depth of 8 tags. As part of this,
> switch over __vlan_get_protocol() to use skb_header_pointer() instead of
> pskb_may_pull(), to avoid the possible side effects of the latter and keep
> the skb pointer 'const' through all the parsing functions.
>
> v2:
> - Use limit of 8 tags instead of 32 (matching XMIT_RECURSION_LIMIT)
>
> Reported-by: Toshiaki Makita <toshiaki.maki...@gmail.com>
> Reported-by: Daniel Borkmann <dan...@iogearbox.net>
> Fixes: d7bf2ebebc2b ("sched: consistently handle layer3 header accesses in
> the presence of VLANs")
> Signed-off-by: Toke Høiland-Jørgensen <t...@redhat.com>
Applied, thank you.
