| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 20 Apr 2007 16:35:15 -0700 (PDT)
From: David Miller <davem@...emloft.net>
To: jarkao2@...pl
Cc: akpm@...ux-foundation.org, netdev@...r.kernel.org,
bugme-daemon@...zilla.kernel.org, snakebyte@....de
Subject: Re: [Bugme-new] [Bug 8057] New: slab corruption running ip6sic
From: Jarek Poplawski <jarkao2@...pl>
Date: Mon, 12 Mar 2007 11:24:03 +0100
> > the ipcomp handler is xfrm6_rcv(), which calls xfrm6_rcv_spi(), which contrary
> > to all other handlers returns -1 instead of 0 after calling kfree_skb() on the
> > skb. Changing the return value to 0 in xfrm6_input.c:xfrm6_rcv_spi() fixes the
> > problem.
> > But I got no clue at all if this would be a correct fix
>
> I think your diagnose is correct (all "return -1" should be
> changed to "return 0" in xfrm6_input.c).
Unfortunately, that won't work.
The return value logic for proto->handler() is different in
IPV6's ip6_input.c than it is for IPV4's ip_input.c.
IPv4 goes:
ret = ipprot->handler(skb);
if (ret < 0) {
protocol = -ret;
goto resubmit;
}
whereas IPV6 goes:
ret = ipprot->handler(&skb);
if (ret > 0)
goto resubmit;
There was a good reason why things were done differently for
this case, but I don't remember what that reason was.
Anyways, changing -1 to 0 in xfrm6_input.c will break everything
even though it might make this crash go away. :-)))
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists