erspan: fix invalid erspan version.
authorWilliam Tu <u9012063@gmail.com>
Thu, 17 May 2018 00:24:32 +0000 (17:24 -0700)
committerDavid S. Miller <davem@davemloft.net>
Thu, 17 May 2018 19:48:49 +0000 (15:48 -0400)
ERSPAN only support version 1 and 2.  When packets send to an
erspan device which does not have proper version number set,
drop the packet.  In real case, we observe multicast packets
sent to the erspan pernet device, erspan0, which does not have
erspan version configured.

Reported-by: Greg Rose <gvrose8192@gmail.com>
Signed-off-by: William Tu <u9012063@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/ipv4/ip_gre.c
net/ipv6/ip6_gre.c

index 9c169bb2444d5990c7562692ba1c92030898bca4..f200b304f76cb37c704e4bb84c1e9acd2f76df0e 100644 (file)
@@ -722,10 +722,12 @@ static netdev_tx_t erspan_xmit(struct sk_buff *skb,
                erspan_build_header(skb, ntohl(tunnel->parms.o_key),
                                    tunnel->index,
                                    truncate, true);
-       else
+       else if (tunnel->erspan_ver == 2)
                erspan_build_header_v2(skb, ntohl(tunnel->parms.o_key),
                                       tunnel->dir, tunnel->hwid,
                                       truncate, true);
+       else
+               goto free_skb;
 
        tunnel->parms.o_flags &= ~TUNNEL_KEY;
        __gre_xmit(skb, dev, &tunnel->parms.iph, htons(ETH_P_ERSPAN));
index 69727bc168cb027009dac95431e40b71291697da..a3e1dec96a7482e6a6c27cd62426a3f4e0128d1b 100644 (file)
@@ -979,11 +979,14 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb,
                        erspan_build_header(skb, ntohl(t->parms.o_key),
                                            t->parms.index,
                                            truncate, false);
-               else
+               else if (t->parms.erspan_ver == 2)
                        erspan_build_header_v2(skb, ntohl(t->parms.o_key),
                                               t->parms.dir,
                                               t->parms.hwid,
                                               truncate, false);
+               else
+                       goto tx_err;
+
                fl6.daddr = t->parms.raddr;
        }