| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 15 Aug 2018 04:38:29 +0000
From: Ttttabcd <ttttabcd@...tonmail.com>
To: "netdev@...r.kernel.org" <netdev@...r.kernel.org>
Subject: I found a strange place while reading “net/ipv6/reassembly.c”
Hello everyone who develops the kernel.
At the beginning I was looking for the source author, but his email address has expired, so I can only come here to ask questions.
The problem is in the /net/ipv6/reassembly.c file, the author is Pedro Roque.
I found some strange places when I read the code for this file (Linux Kernel version 4.18).
In the "/net/ipv6/reassembly.c"
In the function "ip6_frag_queue"
offset = ntohs(fhdr->frag_off) & ~0x7;
end = offset + (ntohs(ipv6_hdr(skb)->payload_len) -
((u8 *)(fhdr + 1) - (u8 *)(ipv6_hdr(skb) + 1)));
if ((unsigned int)end > IPV6_MAXPLEN) {
*prob_offset = (u8 *)&fhdr->frag_off - skb_network_header(skb);
return -1;
}
Here the length of the payload is judged.
And in the function "ip6_frag_reasm"
payload_len = ((head->data - skb_network_header(head)) -
sizeof(struct ipv6hdr) + fq->q.len -
sizeof(struct frag_hdr));
if (payload_len > IPV6_MAXPLEN)
goto out_oversize;
......
out_oversize:
net_dbg_ratelimited("ip6_frag_reasm: payload len = %d\n", payload_len);
goto out_fail;
Here also judges the length of the payload.
Judged the payload length twice.
I tested that the code in the label "out_oversize:" does not execute at all, because it has been returned in "ip6_frag_queue".
Unless I comment out the code that judge the payload length in the function "ip6_frag_queue", the code labeled "out_oversize:" can be executed.
So, is this repeated?
Powered by blists - more mailing lists