net: __skb_flow_dissect() must cap its return value

After Tom patch, thoff field could point past the end of the buffer,
this could fool some callers.

If an skb was provided, skb->len should be the upper limit.
If not, hlen is supposed to be the upper limit.

Fixes: a6e544b0a88b ("flow_dissector: Jump to exit code in __skb_flow_dissect")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Yibin Yang <yibyang@cisco.com
Acked-by: Alexander Duyck <alexander.h.duyck@intel.com>
Acked-by: Willem de Bruijn <willemb@google.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

1 files changed, 8 insertions, 3 deletions

diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
index ab193e5def07..69e4463a4b1b 100644
--- a/net/core/flow_dissector.c
+++ b/net/core/flow_dissector.c
@@ -122,7 +122,7 @@ bool __skb_flow_dissect(const struct sk_buff *skb,
         struct flow_dissector_key_keyid *key_keyid;
         bool skip_vlan = false;
         u8 ip_proto = 0;
-        bool ret = false;
+        bool ret;
 
         if (!data) {
                 data = skb->data;
@@ -549,12 +549,17 @@ ip_proto_again:
 out_good:
         ret = true;
 
-out_bad:
+        key_control->thoff = (u16)nhoff;
+out:
         key_basic->n_proto = proto;
         key_basic->ip_proto = ip_proto;
-        key_control->thoff = (u16)nhoff;
 
         return ret;
+
+out_bad:
+        ret = false;
+        key_control->thoff = min_t(u16, nhoff, skb ? skb->len : hlen);
+        goto out;
 }
 EXPORT_SYMBOL(__skb_flow_dissect);