| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 09 Aug 2009 21:27:25 -0700 (PDT) From: David Miller <davem@...emloft.net> To: roel.kluin@...il.com Cc: khc@...waw.pl, netdev@...r.kernel.org, akpm@...ux-foundation.org Subject: Re: [PATCH] lmc: Read outside array bounds From: Roel Kluin <roel.kluin@...il.com> Date: Fri, 07 Aug 2009 16:54:19 +0200 > If dev_alloc_skb() fails on the first iteration of the allocation loop, and we > break out of the loop, then we end up writing before the start of the array. > > Signed-off-by: Roel Kluin <roel.kluin@...il.com> > --- >> First of all, if we allocated at least one buffer we should >> mark the last one in the code right after this loop. >> >> Second of all, we should purge the TX skbs in the next >> loop even if we could not allocate even one RX buffer. >> >> The thing to do is probably to guard the set of "[i-1]" RX ring >> accesses with a "if (i != 0)" check. > > Forgot a bit about this one, but I hope this is what you meant? It's not correct to limit the TX ring loop by how many RX ring buffers we've been able to successfully allocate, that doesn't make any sense. I'm talking about the second loop which you unexplainably changed to "for (j = 0; j < i; ..." I'm not applying this. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists