lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20061129.181537.38322733.davem@davemloft.net>
Date:	Wed, 29 Nov 2006 18:15:37 -0800 (PST)
From:	David Miller <davem@...emloft.net>
To:	kernel@...uxace.com
Cc:	linux-kernel@...r.kernel.org, linux-netdev@...r.kernel.org
Subject: Re: Linux 2.6.19

From: Phil Oester <kernel@...uxace.com>
Date: Wed, 29 Nov 2006 17:49:04 -0800

> Getting an oops on boot here, caused by commit
> e81c73596704793e73e6dbb478f41686f15a4b34 titled
> "[NET]: Fix MAX_HEADER setting".
> 
> Reverting that patch fixes things up for me.  Dave?

I suspect that it might be because I removed the IPV6
ifdef from the list,  but I can't imagine why that would
matter other than due to a bug in the IPV6 stack....

Indeed.

Looking at ndisc_send_rs() I wonder if it miscalculates
'len' or similar and the old MAX_HEADER setting was
merely papering around this bug....

In fact it does, the NDISC code is using MAX_HEADER incorrectly.  It
needs to explicitly allocate space for the struct ipv6hdr in 'len'.
Luckily the TCP ipv6 code was doing it right.

What a horrible bug, this patch should fix it.  Let me know
if it doesn't, thanks:

commit c28728decc37fe52c8cdf48b3e0c0cf9b0c2fefb
Author: David S. Miller <davem@...set.davemloft.net>
Date:   Wed Nov 29 18:14:47 2006 -0800

    [IPV6] NDISC: Calculate packet length correctly for allocation.
    
    MAX_HEADER does not include the ipv6 header length in it,
    so we need to add it in explicitly.
    
    Signed-off-by: David S. Miller <davem@...emloft.net>

diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
index 73eb8c3..c42d4c2 100644
--- a/net/ipv6/ndisc.c
+++ b/net/ipv6/ndisc.c
@@ -441,7 +441,8 @@ static void ndisc_send_na(struct net_dev
         struct sk_buff *skb;
 	int err;
 
-	len = sizeof(struct icmp6hdr) + sizeof(struct in6_addr);
+	len = sizeof(struct ipv6hdr) + sizeof(struct icmp6hdr) +
+		sizeof(struct in6_addr);
 
 	/* for anycast or proxy, solicited_addr != src_addr */
 	ifp = ipv6_get_ifaddr(solicited_addr, dev, 1);
@@ -556,7 +557,8 @@ void ndisc_send_ns(struct net_device *de
 	if (err < 0)
 		return;
 
-	len = sizeof(struct icmp6hdr) + sizeof(struct in6_addr);
+	len = sizeof(struct ipv6hdr) + sizeof(struct icmp6hdr) +
+		sizeof(struct in6_addr);
 	send_llinfo = dev->addr_len && !ipv6_addr_any(saddr);
 	if (send_llinfo)
 		len += ndisc_opt_addr_space(dev);
@@ -632,7 +634,7 @@ void ndisc_send_rs(struct net_device *de
 	if (err < 0)
 		return;
 
-	len = sizeof(struct icmp6hdr);
+	len = sizeof(struct ipv6hdr) + sizeof(struct icmp6hdr);
 	if (dev->addr_len)
 		len += ndisc_opt_addr_space(dev);
 
@@ -1381,7 +1383,8 @@ void ndisc_send_redirect(struct sk_buff 
 			 struct in6_addr *target)
 {
 	struct sock *sk = ndisc_socket->sk;
-	int len = sizeof(struct icmp6hdr) + 2 * sizeof(struct in6_addr);
+	int len = sizeof(struct ipv6hdr) + sizeof(struct icmp6hdr) +
+		2 * sizeof(struct in6_addr);
 	struct sk_buff *buff;
 	struct icmp6hdr *icmph;
 	struct in6_addr saddr_buf;
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ