net: ipv6: Validate GSO SKB before finish IPv6 processing - linux.git

diff options

author	Aya Levin <ayal@nvidia.com>	2021-01-07 15:50:18 +0200
committer	Jakub Kicinski <kuba@kernel.org>	2021-01-09 14:06:32 -0800
commit	b210de4f8c97d57de051e805686248ec4c6cfc52 (patch)
tree	ba7e41b91053d811d14426cc279b27ddbda866db /net/tipc
parent	a2bc221b972db91e4be1970e776e98f16aa87904 (diff)

net: ipv6: Validate GSO SKB before finish IPv6 processing

There are cases where GSO segment's length exceeds the egress MTU: - Forwarding of a TCP GRO skb, when DF flag is not set. - Forwarding of an skb that arrived on a virtualisation interface (virtio-net/vhost/tap) with TSO/GSO size set by other network stack. - Local GSO skb transmitted on an NETIF_F_TSO tunnel stacked over an interface with a smaller MTU. - Arriving GRO skb (or GSO skb in a virtualised environment) that is bridged to a NETIF_F_TSO tunnel stacked over an interface with an insufficient MTU. If so: - Consume the SKB and its segments. - Issue an ICMP packet with 'Packet Too Big' message containing the MTU, allowing the source host to reduce its Path MTU appropriately. Note: These cases are handled in the same manner in IPv4 output finish. This patch aligns the behavior of IPv6 and the one of IPv4. Fixes: 9e50849054a4 ("netfilter: ipv6: move POSTROUTING invocation before fragmentation") Signed-off-by: Aya Levin <ayal@nvidia.com> Reviewed-by: Tariq Toukan <tariqt@nvidia.com> Link: https://lore.kernel.org/r/1610027418-30438-1-git-send-email-ayal@nvidia.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>

Diffstat (limited to 'net/tipc')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: