lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 20 Apr 2007 16:35:15 -0700 (PDT) From: David Miller <davem@...emloft.net> To: jarkao2@...pl Cc: akpm@...ux-foundation.org, netdev@...r.kernel.org, bugme-daemon@...zilla.kernel.org, snakebyte@....de Subject: Re: [Bugme-new] [Bug 8057] New: slab corruption running ip6sic From: Jarek Poplawski <jarkao2@...pl> Date: Mon, 12 Mar 2007 11:24:03 +0100 > > the ipcomp handler is xfrm6_rcv(), which calls xfrm6_rcv_spi(), which contrary > > to all other handlers returns -1 instead of 0 after calling kfree_skb() on the > > skb. Changing the return value to 0 in xfrm6_input.c:xfrm6_rcv_spi() fixes the > > problem. > > But I got no clue at all if this would be a correct fix > > I think your diagnose is correct (all "return -1" should be > changed to "return 0" in xfrm6_input.c). Unfortunately, that won't work. The return value logic for proto->handler() is different in IPV6's ip6_input.c than it is for IPV4's ip_input.c. IPv4 goes: ret = ipprot->handler(skb); if (ret < 0) { protocol = -ret; goto resubmit; } whereas IPV6 goes: ret = ipprot->handler(&skb); if (ret > 0) goto resubmit; There was a good reason why things were done differently for this case, but I don't remember what that reason was. Anyways, changing -1 to 0 in xfrm6_input.c will break everything even though it might make this crash go away. :-))) - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists