| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 02 Jun 2010 06:27:18 -0700 (PDT)
From: David Miller <davem@...emloft.net>
To: xiaosuo@...il.com
Cc: hadi@...erus.ca, netdev@...r.kernel.org
Subject: Re: [PATCH] cls_u32: use skb_copy_bits() to dereference data safely
From: Changli Gao <xiaosuo@...il.com>
Date: Wed, 2 Jun 2010 21:14:55 +0800
> On Wed, Jun 2, 2010 at 8:45 PM, David Miller <davem@...emloft.net> wrote:
>> From: jamal <hadi@...erus.ca>
>> Date: Wed, 02 Jun 2010 08:25:38 -0400
>>
>>> --- a/net/sched/cls_u32.c
>>> +++ b/net/sched/cls_u32.c
>>> @@ -135,6 +135,9 @@ next_knode:
>>>
>>> for (i = n->sel.nkeys; i>0; i--, key++) {
>>>
>>> + int toff = key->off+(off2&key->offmask)- 4;
>>> + if (unlikely(toff > skb->len))
>>> + /* bailout here - needs some thought */
>>> if ((*(__be32*)(ptr+key->off+(off2&key->offmask))^key->v
>>
>> I don't think it's that simple.
>>
>> You can't dereference from the skb->data linear area if your offset is
>> beyond "skb->len - skb->data_len" (aka. skb_headlen()) since that's
>> where the paged or fragmented portion starts.
>>
>> We really need to use skb_copy_bits() if we want to allow
>> any offset into the SKB, and because of all the ways
>> packets can be transformed and constructed we absolutely
>> have to.
>>
>
> Maybe skb_header_pointer() is lighter.
Yes, it should be. In fact, it's designed for this kind of situation
and that's why it's used extensively in netfilter.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists