lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 30 Dec 2010 19:52:14 +0100 From: Johannes Berg <johannes@...solutions.net> To: Stephen Hemminger <shemminger@...tta.com> Cc: Tomas Winkler <tomas.winkler@...el.com>, davem@...emloft.net, netdev@...r.kernel.org, linux-wireless@...r.kernel.org Subject: Re: [PATCH net-2.6] bridge: fix br_multicast_ipv6_rcv for paged skbs On Thu, 2010-12-30 at 10:46 -0800, Stephen Hemminger wrote: > This doesn't look correct. The calculation of the offset doesn't look correct. > Just following the skb_clone(), the skb_pull value is "offset". > Also, the other checks return -EINVAL for incorrectly formed packet. > > --- a/net/bridge/br_multicast.c 2010-12-30 10:29:58.579510488 -0800 > +++ b/net/bridge/br_multicast.c 2010-12-30 10:43:27.273386691 -0800 > @@ -1464,6 +1464,9 @@ static int br_multicast_ipv6_rcv(struct > if (offset < 0 || nexthdr != IPPROTO_ICMPV6) > return 0; > > + if (!pskb_may_pull(skb, offset)) > + return -EINVAL; > + > /* Okay, we found ICMPv6 header */ > skb2 = skb_clone(skb, GFP_ATOMIC); > if (!skb2) Wouldn't that make more sense after the clone anyway? But if you look at my email, you'll find that there's potentially, and conditionally, more stuff that will be read from the skb's header, which hasn't necessarily been pulled in, so I think this still won't fix all the issues. Seeing how this only affects some ICMPv6 packets, maybe we should just use skb_copy() instead? johannes -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists