| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20080106020214.GQ27894@ZenIV.linux.org.uk> Date: Sun, 6 Jan 2008 02:02:14 +0000 From: Al Viro <viro@...IV.linux.org.uk> To: Herbert Xu <herbert@...dor.apana.org.au> Cc: m.kozlowski@...land.pl, davem@...emloft.net, sparclinux@...r.kernel.org, netdev@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: sparc oops in ip_fast_csum On Sun, Jan 06, 2008 at 11:22:04AM +1100, Herbert Xu wrote: > Actually if you read the code for ip_fast_csum it's obvious what has > happened. %o1 == iph->ihl contains the value 2 which is bogus. > > [IPV4] raw: Strengthen check on validity of iph->ihl > > We currently check that iph->ihl is bounded by the real length and that > the real length is greater than the minimum IP header length. However, > we did not check the caes where iph->ihl is less than the minimum IP > header length. > > This breaks because some ip_fast_csum implementations assume that which > is quite reasonable. Humm... Point, but that makes me wonder what other callers do... E.g. what about ipt_REJECT.c::send_reset()? Or myri10ge_get_frag_header()? -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists