[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 07 Aug 2010 20:24:16 -0700 (PDT)
From: David Miller <davem@...emloft.net>
To: dp@...hloadlab.com
Cc: kuznet@....inr.ac.ru, jmorris@...ei.org, kaber@...sh.net,
yoshfuji@...ux-ipv6.org, pekkas@...core.fi, gilad@...efidence.com,
yony@...sleep.com, ori@...sleep.com, ilpo.jarvinen@...sinki.fi,
netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] tcp: no md5sig option size check bug
From: Dmitry Popov <dp@...hloadlab.com>
Date: Sat, 7 Aug 2010 23:17:52 +0400
> From: Dmitry Popov <dp@...hloadlab.com>
>
> tcp_parse_md5sig_option doesn't check md5sig option (TCPOPT_MD5SIG)
> length, but tcp_v[46]_inbound_md5_hash assume that it's at least 16
> bytes long.
>
> Signed-off-by: Dmitry Popov <dp@...hloadlab.com>
I'll apply this, but the memcmp() we do against this pointer is always
safe because there's at least skb_shared_info()'s worth of valid
memory past skb->data guarenteed at all times which is much larger
than 16 bytes.
So at worst we'd access garbage, but never past a valid piece of
allocated memory.
Thanks.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists