lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Fri, 28 Oct 2022 05:40:38 -0700
From:   Eric Dumazet <edumazet@...gle.com>
To:     "Ziyang Xuan (William)" <william.xuanziyang@...wei.com>
Cc:     davem@...emloft.net, yoshfuji@...ux-ipv6.org, dsahern@...nel.org,
        kuba@...nel.org, pabeni@...hat.com, netdev@...r.kernel.org,
        linux-kernel@...r.kernel.org, herbert@...dor.apana.org.au
Subject: Re: [PATCH net] ipv6/gro: fix an out of bounds memory bug in ipv6_gro_receive()

On Fri, Oct 28, 2022 at 3:11 AM Ziyang Xuan (William)
<william.xuanziyang@...wei.com> wrote:
> Hi Eric,
>
> Thank you for your suggestion.
>
> I have analyzed the problem more deeply. The odd IPv6 packet and
> big packet length value(IPv6 payload length more than 65535)
> together cause the problem.
>
> skb->network_header and skb->transport_header are all u16 type.
> They would occuer overflow errors during ipv6_gro_receive() processing.
> That cause the value error for __skb_push(skb, value).
>
> So the problem is a bug in tun device.
>
> I will combine my previous problem "net: tun: limit first seg size to avoid oversized linearization"
> together to give the fix patch later.

SGTM, thanks !

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ