net: flow_dissector: fail on evil iph->ihl

CVE-2013-4348
The skb_flow_dissect function in net/core/flow_dissector.c in the Linux
kernel through 3.12 allows remote attackers to cause a denial of service
(infinite loop) via a small value in the IHL field of a packet with IPIP
encapsulation.

We don't validate iph->ihl which may lead a dead loop if we meet a IPIP
skb whose iph->ihl is zero. Fix this by failing immediately when iph->ihl
is evil (less than 5).

This issue were introduced by commit ec5efe7
(rps: support IPIP encapsulation).

Change-Id: I5b03af9ac175fcd73d696dc0d42233d4a740f567
Cc: Eric Dumazet <[email protected]>
Cc: Petr Matousek <[email protected]>
Cc: Michael S. Tsirkin <[email protected]>
Cc: Daniel Borkmann <[email protected]>
Signed-off-by: Jason Wang <[email protected]>
Acked-by: Eric Dumazet <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Andy Seah <[email protected]>
Reviewed-on: http://gerrit.pcs.mot.com/589412
Submit-Approved: Jira Key <[email protected]>
Tested-by: Jira Key <[email protected]>
Reviewed-by: Joel Voss <[email protected]>
Reviewed-by: Christopher Fries <[email protected]>
SLTApproved: Christopher Fries <[email protected]>
Reviewed-on: http://gerrit.pcs.mot.com/589833
SLTApproved: Maulik Desai <[email protected]>
Reviewed-by: Maulik Desai <[email protected]>

net/core/flow_dissector.c

@@ -35,7 +35,7 @@ bool skb_flow_dissect(const struct sk_buff *skb, struct flow_keys *flow)
 		struct iphdr _iph;
 ip:
 		iph = skb_header_pointer(skb, nhoff, sizeof(_iph), &_iph);
-		if (!iph)
+		if (!iph || iph->ihl < 5)
 			return false;
 
 		if (ip_is_fragment(iph))