| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 15 Mar 2007 19:04:36 +0300 From: Alexey Kuznetsov <kuznet@....inr.ac.ru> To: David Miller <davem@...emloft.net> Cc: adobriyan@...ru, netdev@...r.kernel.org, devel@...nvz.org Subject: Re: [PATCH] Copy mac_len in skb_clone() as well Hello! > What bug triggered that helped you discover this? Or is it > merely from a code audit? I asked the same question. :-) openvz added some another fields to skbuff and when it was found that they are lost while clone, he tried to figure out how all this works and looked for another examples of this kind. As I understand, the problem can be seen only in xfrmX_tunnel_input. If uninitialized mac_len obtained from slab is more than current head room it could corrupt memory. Also, it looks like the fix is incomplete. copy_skb_header() also does not copy this field. But it will be initialized to 0 by alloc_skb in this case and xfrmX_tunnel_input() just will not copy mac header. Alexey - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists