| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 18 Jan 2013 04:08:19 +0100
From: Hannes Frederic Sowa <hannes@...essinduktion.org>
To: Eric Dumazet <eric.dumazet@...il.com>
Cc: netdev@...r.kernel.org
Subject: Re: [PATCH] ipv6: check if dereference of ipv6 header is safe
On Thu, Jan 17, 2013 at 06:21:37PM -0800, Eric Dumazet wrote:
> But we use a 'struct iphdr' here, not a ipv6hdr
>
> So we basically implicitely rely on sizeof(struct iphdr) <=
> sizeof(struct ipv6hdr)
>
> I would leave the pskb_may_pull() call and fix it, even if not really
> needed.
Please correct me if I am wrong:
The callstack as captured in ipip6_rcv:
ipip6_rcv+0xcd/0x680 [sit]
tunnel64_rcv+0x4a/0x174 [tunnel4]
ip_local_deliver+0x152/0x470
? ip_local_deliver+0x75/0x470
ip_rcv+0x36d/0x650
ip_rcv does first check if the ipv4 header is complete (inclusive options) and
passes control to ip_local_deliver which calls __skb_pull(skb,
ip_hdrlen(skb)). So ->data is forwarded behind the ipv4 header. The next
pskb_may_pull check would check if the necessary amount of data behind the
ipv4 header is available hence I assume the check in tunnel64_rcv is enough:
109 static int tunnel64_rcv(struct sk_buff *skb)
110 {
111 struct xfrm_tunnel *handler;
112
113 if (!pskb_may_pull(skb, sizeof(struct ipv6hdr)))
114 goto drop;
115
116 for_each_tunnel_rcu(tunnel64_handlers, handler)
117 if (!handler->handler(skb))
118 return 0;
Thanks,
Hannes
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists