gre: refetch erspan header from skb->data after pskb_may_pull()

congwang · davem330 · commit 0e4940928c26 · 2019-12-07T11:53:27.000-08:00
After pskb_may_pull() we should always refetch the header pointers from the skb->data in case it got reallocated. In gre_parse_header(), the erspan header is still fetched from the 'options' pointer which is fetched before pskb_may_pull(). Found this during code review of a KMSAN bug report. Fixes: cb73ee4 ("net: ip_gre: use erspan key field for tunnel lookup") Cc: Lorenzo Bianconi <lorenzo.bianconi@redhat.com> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> Acked-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com> Acked-by: William Tu <u9012063@gmail.com> Reviewed-by: Simon Horman <simon.horman@netronome.com> Signed-off-by: David S. Miller <davem@davemloft.net>
diff --git a/net/ipv4/gre_demux.c b/net/ipv4/gre_demux.c
@@ -127,7 +127,7 @@ int gre_parse_header(struct sk_buff *skb, struct tnl_ptk_info *tpi,
 		if (!pskb_may_pull(skb, nhs + hdr_len + sizeof(*ershdr)))
 			return -EINVAL;
 
-		ershdr = (struct erspan_base_hdr *)options;
+		ershdr = (struct erspan_base_hdr *)(skb->data + nhs + hdr_len);
 		tpi->key = cpu_to_be32(get_session_id(ershdr));
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -127,7 +127,7 @@ int gre_parse_header(struct sk_buff skb, struct tnl_ptk_info tpi,`
`127`	`127`	`if (!pskb_may_pull(skb, nhs + hdr_len + sizeof(*ershdr)))`
`128`	`128`	`return -EINVAL;`
`129`	`129`
`130`		`- ershdr = (struct erspan_base_hdr *)options;`
	`130`	`+ ershdr = (struct erspan_base_hdr *)(skb->data + nhs + hdr_len);`
`131`	`131`	`tpi->key = cpu_to_be32(get_session_id(ershdr));`
`132`	`132`	`}`
`133`	`133`