| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <1275481219.14363.6.camel@bigi>
Date: Wed, 02 Jun 2010 08:20:19 -0400
From: jamal <hadi@...erus.ca>
To: Changli Gao <xiaosuo@...il.com>
Cc: "David S. Miller" <davem@...emloft.net>, netdev@...r.kernel.org
Subject: Re: [PATCH] cls_u32: use skb_copy_bits() to dereference data safely
Hi Changli,
On Wed, 2010-06-02 at 01:47 +0800, Changli Gao wrote:
>
> I added the following debug code into cls_u32.c
>
> for (i = n->sel.nkeys; i>0; i--, key++) {
> + int off;
> +
> + off = key->off+(off2&key->offmask) + (ptr - skb->data);
> + if (off + 4 > skb->len)
> + printk("skb->len: %d, off: %d\n",
> skb->len, off);
>
Ok, makes more sense. And thanks for taking time to construct a
meaningful example.
It is not a common use - but i agree it is a bug.
I am suprised we never caught this all this years and wondering why this
never crashed in your example?
Can we make the fix very simple please? i.e no copy bits, this is the
fast path.
> It isn't an optimization, but an error exit. :)
What i meant was if you can tell immediately what the maximum offset is
then you dont need to go through for loop making comparison with each
key. You could immediately bailout - which is an optimization ;->
cheers,
jamal
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists