| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 3 Aug 2010 07:11:14 +0800
From: Changli Gao <xiaosuo@...il.com>
To: Stephen Hemminger <shemminger@...tta.com>
Cc: David Miller <davem@...emloft.net>, netdev@...r.kernel.org
Subject: Re: [PATCH 1/4] net: check for reference outside of skb
On Tue, Aug 3, 2010 at 6:00 AM, Stephen Hemminger <shemminger@...tta.com> wrote:
> It is legitimate for callers of skb_header_pointer to pass a negative
> offset, but the resulting pointer should not go outside the valid
> range of data in the skb.
>
> Signed-off-by: Stephen Hemminger <shemminger@...tta.com>
>
> --- a/include/linux/skbuff.h 2010-08-01 09:23:01.635121262 -0700
> +++ b/include/linux/skbuff.h 2010-08-01 09:25:27.453901530 -0700
> @@ -1853,6 +1853,9 @@ static inline void *skb_header_pointer(c
> {
> int hlen = skb_headlen(skb);
>
> + if (hlen + offset < 0)
> + return NULL;
> +
It seems wrong. do you mean
if (skb_headroom(hlen) + offset < 0)
Nevertheless it is also wrong. skb_header_pointer doesn't know if the
headroom is filled with valid data or not.
Thanks.
> if (hlen - offset >= len)
> return skb->data + offset;
--
Regards,
Changli Gao(xiaosuo@...il.com)
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists