| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CANn89iJmOKiALL9r_9+nyy5bdYwMUEX+LAkmswMyWwNC53yEew@mail.gmail.com>
Date: Mon, 17 Feb 2025 20:21:14 +0100
From: Eric Dumazet <edumazet@...gle.com>
To: Suchit K <suchitkarunakaran@...il.com>
Cc: netdev@...r.kernel.org, davem@...emloft.net, horms@...nel.org,
skhan@...uxfoundation.org, linux-kernel@...r.kernel.org,
linux-kernel-mentees@...ts.linux.dev
Subject: Re: [PATCH] net: dev_addr_list: add address length validation in
__hw_addr_insert function
On Mon, Feb 17, 2025 at 8:05 PM Suchit K <suchitkarunakaran@...il.com> wrote:
>
> Hi Eric,
> Thanks for the feedback! I'm new to kernel development and still
> finding my way around.
> I wasn't working from a syzbot report on this one; I was just
> exploring the code and felt there is no parameter validation. I went
> ahead and made this change based on that impression. I realized my
> changelog should have been more generic. Sorry about that. Also since
> it's not based on a syzbot report, is it good to have this change?
> Your insights and suggestions would be most welcome. I will make the
> required changes accordingly.
> Thanks.
I think these checks are not necessary.
1) The caller (dev_addr_mod) provides non NULL pointers,
there is no point adding tests, because if one of them was NULL,
a crash would occur before hitting this function.
2) Your patch would silently hide a real issue if for some reason
dev->addr_len was too big.
Powered by blists - more mailing lists