[IPV4]: ipip and ip_gre encapsulation bugs

Handling of ipip and ip_gre ICMP error relaying is b0rken; it accesses 8bit field + 3 reserved octets as host-endian 32bit, does comparison, subtraction and stuffs the result back. That breaks on big-endian. Fixed, made endian-clean. [ Note that this effected code is permanently commented out with and ifdef, so this error couldn't actually cause problems for anyone. -DaveM ] Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Al Viro <viro@zeniv.linux.org.uk> 2006-09-19 16:23:19 -0400
committer: David S. Miller <davem@sunset.davemloft.net> 2006-09-22 18:19:43 -0400
commit: c55e2f4997a104d66b59bdf1aa8ab125d09ae00a (patch)
tree: 51c92b1085e5a3067a14386c0b449ac33036bb7a /net/ipv4/ip_gre.c
parent: 593f16aa627d61da447c76ee5a159450174627f6 (diff)
1 files changed, 13 insertions, 10 deletions
diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
index e66f6ff2e198..f5fba051df3d 100644
--- a/net/ipv4/ip_gre.c
+++ b/net/ipv4/ip_gre.c
@@ -393,7 +393,8 @@ out:
        int code = skb->h.icmph->code;
        int rel_type = 0;
        int rel_code = 0;
-        int rel_info = 0;
+        __be32 rel_info = 0;
+        __u32 n = 0;
        u16 flags;
        int grehlen = (iph->ihl<<2) + 4;
        struct sk_buff *skb2;
@@ -422,14 +423,16 @@ out:
        default:
                return;
        case ICMP_PARAMETERPROB:
-                if (skb->h.icmph->un.gateway < (iph->ihl<<2))
+                n = ntohl(skb->h.icmph->un.gateway) >> 24;
+                if (n < (iph->ihl<<2))
                        return;
                /* So... This guy found something strange INSIDE encapsulated
                   packet. Well, he is fool, but what can we do ?
                 */
                rel_type = ICMP_PARAMETERPROB;
-                rel_info = skb->h.icmph->un.gateway - grehlen;
+                n -= grehlen;
+                rel_info = htonl(n << 24);
                break;
        case ICMP_DEST_UNREACH:
@@ -440,13 +443,14 @@ out:
                        return;
                case ICMP_FRAG_NEEDED:
                        /* And it is the only really necessary thing :-) */
-                        rel_info = ntohs(skb->h.icmph->un.frag.mtu);
+                        n = ntohs(skb->h.icmph->un.frag.mtu);
-                        if (rel_info < grehlen+68)
+                        if (n < grehlen+68)
                                return;
-                        rel_info -= grehlen;
+                        n -= grehlen;
                        /* BSD 4.2 MORE DOES NOT EXIST IN NATURE. */
-                        if (rel_info > ntohs(eiph->tot_len))
+                        if (n > ntohs(eiph->tot_len))
                                return;
+                        rel_info = htonl(n);
                        break;
                default:
                        /* All others are translated to HOST_UNREACH.
@@ -508,12 +512,11 @@ out:
        /* change mtu on this route */
        if (type == ICMP_DEST_UNREACH && code == ICMP_FRAG_NEEDED) {
-                if (rel_info > dst_mtu(skb2->dst)) {
+                if (n > dst_mtu(skb2->dst)) {
                        kfree_skb(skb2);
                        return;
                }
-                skb2->dst->ops->update_pmtu(skb2->dst, rel_info);
+                skb2->dst->ops->update_pmtu(skb2->dst, n);
-                rel_info = htonl(rel_info);
        } else if (type == ICMP_TIME_EXCEEDED) {
                struct ip_tunnel *t = netdev_priv(skb2->dev);
                if (t->parms.iph.ttl) {
author	Al Viro <viro@zeniv.linux.org.uk>	2006-09-19 16:23:19 -0400
committer	David S. Miller <davem@sunset.davemloft.net>	2006-09-22 18:19:43 -0400
commit	c55e2f4997a104d66b59bdf1aa8ab125d09ae00a (patch)
tree	51c92b1085e5a3067a14386c0b449ac33036bb7a /net/ipv4/ip_gre.c
parent	593f16aa627d61da447c76ee5a159450174627f6 (diff)