[IPV4]: ipip and ip_gre encapsulation bugs

Handling of ipip and ip_gre ICMP error relaying is b0rken; it accesses
8bit field + 3 reserved octets as host-endian 32bit, does comparison,
subtraction and stuffs the result back.  That breaks on big-endian.

Fixed, made endian-clean.

[ Note that this effected code is permanently commented out with
  and ifdef, so this error couldn't actually cause problems for
  anyone. -DaveM ]

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
index e66f6ff..f5fba05 100644 (file)
--- a/net/ipv4/ip_gre.c
+++ b/net/ipv4/ip_gre.c
@@ -393,7 +393,8 @@ out:
        int code = skb->h.icmph->code;
        int rel_type = 0;
        int rel_code = 0;
-       int rel_info = 0;
+       __be32 rel_info = 0;
+       __u32 n = 0;
        u16 flags;
        int grehlen = (iph->ihl<<2) + 4;
        struct sk_buff *skb2;
@@ -422,14 +423,16 @@ out:
        default:
                return;
        case ICMP_PARAMETERPROB:
-               if (skb->h.icmph->un.gateway < (iph->ihl<<2))
+               n = ntohl(skb->h.icmph->un.gateway) >> 24;
+               if (n < (iph->ihl<<2))
                        return;
 
                /* So... This guy found something strange INSIDE encapsulated
                   packet. Well, he is fool, but what can we do ?
                 */
                rel_type = ICMP_PARAMETERPROB;
-               rel_info = skb->h.icmph->un.gateway - grehlen;
+               n -= grehlen;
+               rel_info = htonl(n << 24);
                break;
 
        case ICMP_DEST_UNREACH:
@@ -440,13 +443,14 @@ out:
                        return;
                case ICMP_FRAG_NEEDED:
                        /* And it is the only really necessary thing :-) */
-                       rel_info = ntohs(skb->h.icmph->un.frag.mtu);
-                       if (rel_info < grehlen+68)
+                       n = ntohs(skb->h.icmph->un.frag.mtu);
+                       if (n < grehlen+68)
                                return;
-                       rel_info -= grehlen;
+                       n -= grehlen;
                        /* BSD 4.2 MORE DOES NOT EXIST IN NATURE. */
-                       if (rel_info > ntohs(eiph->tot_len))
+                       if (n > ntohs(eiph->tot_len))
                                return;
+                       rel_info = htonl(n);
                        break;
                default:
                        /* All others are translated to HOST_UNREACH.
@@ -508,12 +512,11 @@ out:
 
        /* change mtu on this route */
        if (type == ICMP_DEST_UNREACH && code == ICMP_FRAG_NEEDED) {
-               if (rel_info > dst_mtu(skb2->dst)) {
+               if (n > dst_mtu(skb2->dst)) {
                        kfree_skb(skb2);
                        return;
                }
-               skb2->dst->ops->update_pmtu(skb2->dst, rel_info);
-               rel_info = htonl(rel_info);
+               skb2->dst->ops->update_pmtu(skb2->dst, n);
        } else if (type == ICMP_TIME_EXCEEDED) {
                struct ip_tunnel *t = netdev_priv(skb2->dev);
                if (t->parms.iph.ttl) {

diff --git a/net/ipv4/ipip.c b/net/ipv4/ipip.c
index 76ab50b..0c45565 100644 (file)
--- a/net/ipv4/ipip.c
+++ b/net/ipv4/ipip.c
@@ -341,7 +341,8 @@ out:
        int code = skb->h.icmph->code;
        int rel_type = 0;
        int rel_code = 0;
-       int rel_info = 0;
+       __be32 rel_info = 0;
+       __u32 n = 0;
        struct sk_buff *skb2;
        struct flowi fl;
        struct rtable *rt;
@@ -354,14 +355,15 @@ out:
        default:
                return 0;
        case ICMP_PARAMETERPROB:
-               if (skb->h.icmph->un.gateway < hlen)
+               n = ntohl(skb->h.icmph->un.gateway) >> 24;
+               if (n < hlen)
                        return 0;
 
                /* So... This guy found something strange INSIDE encapsulated
                   packet. Well, he is fool, but what can we do ?
                 */
                rel_type = ICMP_PARAMETERPROB;
-               rel_info = skb->h.icmph->un.gateway - hlen;
+               rel_info = htonl((n - hlen) << 24);
                break;
 
        case ICMP_DEST_UNREACH:
@@ -372,13 +374,14 @@ out:
                        return 0;
                case ICMP_FRAG_NEEDED:
                        /* And it is the only really necessary thing :-) */
-                       rel_info = ntohs(skb->h.icmph->un.frag.mtu);
-                       if (rel_info < hlen+68)
+                       n = ntohs(skb->h.icmph->un.frag.mtu);
+                       if (n < hlen+68)
                                return 0;
-                       rel_info -= hlen;
+                       n -= hlen;
                        /* BSD 4.2 MORE DOES NOT EXIST IN NATURE. */
-                       if (rel_info > ntohs(eiph->tot_len))
+                       if (n > ntohs(eiph->tot_len))
                                return 0;
+                       rel_info = htonl(n);
                        break;
                default:
                        /* All others are translated to HOST_UNREACH.
@@ -440,12 +443,11 @@ out:
 
        /* change mtu on this route */
        if (type == ICMP_DEST_UNREACH && code == ICMP_FRAG_NEEDED) {
-               if (rel_info > dst_mtu(skb2->dst)) {
+               if (n > dst_mtu(skb2->dst)) {
                        kfree_skb(skb2);
                        return 0;
                }
-               skb2->dst->ops->update_pmtu(skb2->dst, rel_info);
-               rel_info = htonl(rel_info);
+               skb2->dst->ops->update_pmtu(skb2->dst, n);
        } else if (type == ICMP_TIME_EXCEEDED) {
                struct ip_tunnel *t = netdev_priv(skb2->dev);
                if (t->parms.iph.ttl) {