ipv6: raw: Deduct extension header length in rawv6_push_pending_frames

Origin: https://git.kernel.org/linus/cb3e9864cdbe35ff6378966660edbcbac955fe17
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-0394

The total cork length created by ip6_append_data includes extension
headers, so we must exclude them when comparing them against the
IPV6_CHECKSUM offset which does not include extension headers.

Reported-by: Kyle Zeng <zengyhkyle@gmail.com>
Fixes: 357b40a18b04 ("[IPV6]: IPV6_CHECKSUM socket option can corrupt kernel memory")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Gbp-Pq: Topic bugfix/all
Gbp-Pq: Name ipv6-raw-Deduct-extension-header-length-in-rawv6_pus.patch

diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
index 31eb54e92b3f944409707f390ef388f94d2fc8b9..110254f44a468c106f5960863b4d7398ef6ff98d 100644 (file)
--- a/net/ipv6/raw.c
+++ b/net/ipv6/raw.c
@@ -539,6 +539,7 @@ csum_copy_err:
 static int rawv6_push_pending_frames(struct sock *sk, struct flowi6 *fl6,
                                     struct raw6_sock *rp)
 {
+       struct ipv6_txoptions *opt;
        struct sk_buff *skb;
        int err = 0;
        int offset;
@@ -556,6 +557,9 @@ static int rawv6_push_pending_frames(struct sock *sk, struct flowi6 *fl6,
 
        offset = rp->offset;
        total_len = inet_sk(sk)->cork.base.length;
+       opt = inet6_sk(sk)->cork.opt;
+       total_len -= opt ? opt->opt_flen : 0;
+
        if (offset >= total_len - 1) {
                err = -EINVAL;
                ip6_flush_pending_frames(sk);