| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 2 Aug 2010 16:21:58 -0700
From: Stephen Hemminger <shemminger@...tta.com>
To: Changli Gao <xiaosuo@...il.com>
Cc: David Miller <davem@...emloft.net>, netdev@...r.kernel.org
Subject: Re: [PATCH 1/4] net: check for reference outside of skb
On Tue, 3 Aug 2010 07:11:14 +0800
Changli Gao <xiaosuo@...il.com> wrote:
> On Tue, Aug 3, 2010 at 6:00 AM, Stephen Hemminger <shemminger@...tta.com> wrote:
> > It is legitimate for callers of skb_header_pointer to pass a negative
> > offset, but the resulting pointer should not go outside the valid
> > range of data in the skb.
> >
> > Signed-off-by: Stephen Hemminger <shemminger@...tta.com>
> >
> > --- a/include/linux/skbuff.h 2010-08-01 09:23:01.635121262 -0700
> > +++ b/include/linux/skbuff.h 2010-08-01 09:25:27.453901530 -0700
> > @@ -1853,6 +1853,9 @@ static inline void *skb_header_pointer(c
> > {
> > int hlen = skb_headlen(skb);
> >
> > + if (hlen + offset < 0)
> > + return NULL;
> > +
>
> It seems wrong. do you mean
>
> if (skb_headroom(hlen) + offset < 0)
>
> Nevertheless it is also wrong. skb_header_pointer doesn't know if the
> headroom is filled with valid data or not.
>
It should be headroom. It is okay if the request is looking at PAD
area, that is the callers problem. Just don't want wander off into
into unallocated space.
Anyway, I'll fix it in cls_u32.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists