lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Fri, 20 Apr 2007 16:35:15 -0700 (PDT)
From:	David Miller <>
Subject: Re: [Bugme-new] [Bug 8057] New: slab corruption running ip6sic

From: Jarek Poplawski <>
Date: Mon, 12 Mar 2007 11:24:03 +0100

> > the ipcomp handler is xfrm6_rcv(), which calls xfrm6_rcv_spi(), which contrary
> > to all other handlers returns -1 instead of 0 after calling kfree_skb() on the
> > skb. Changing the return value to 0 in xfrm6_input.c:xfrm6_rcv_spi() fixes the
> > problem.
> > But I got no clue at all if this would be a correct fix
> I think your diagnose is correct (all "return -1" should be
> changed to "return 0" in xfrm6_input.c).

Unfortunately, that won't work.

The return value logic for proto->handler() is different in
IPV6's ip6_input.c than it is for IPV4's ip_input.c.

IPv4 goes:

			ret = ipprot->handler(skb);
			if (ret < 0) {
				protocol = -ret;
				goto resubmit;

whereas IPV6 goes:

		ret = ipprot->handler(&skb);
		if (ret > 0)
			goto resubmit;

There was a good reason why things were done differently for
this case, but I don't remember what that reason was.

Anyways, changing -1 to 0 in xfrm6_input.c will break everything
even though it might make this crash go away. :-)))

To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to
More majordomo info at

Powered by blists - more mailing lists