lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <6F5C1D715B2DA5498A628E6B9C124F04019BF9E404@hasmsx504.ger.corp.intel.com>
Date:	Mon, 3 Jan 2011 11:43:52 +0200
From:	"Winkler, Tomas" <tomas.winkler@...el.com>
To:	Johannes Berg <johannes@...solutions.net>
CC:	"davem@...emloft.net" <davem@...emloft.net>,
	"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
	Stephen Hemminger <shemminger@...tta.com>
Subject: RE: [PATCH 1/1 V3] bridge: fix br_multicast_ipv6_rcv for paged skbs



> -----Original Message-----
> From: Johannes Berg [mailto:johannes@...solutions.net]
> Sent: Monday, January 03, 2011 11:34 AM
> To: Winkler, Tomas
> Cc: davem@...emloft.net; netdev@...r.kernel.org; Stephen Hemminger
> Subject: Re: [PATCH 1/1 V3] bridge: fix br_multicast_ipv6_rcv for paged skbs
> 
> On Sun, 2011-01-02 at 22:18 +0200, Tomas Winkler wrote:
> 
> >  	icmp6h = icmp6_hdr(skb2);
> >
> >  	switch (icmp6h->icmp6_type) {
> > @@ -1516,7 +1517,12 @@ static int br_multicast_ipv6_rcv(struct net_bridge
> *br,
> >  	switch (icmp6h->icmp6_type) {
> >  	case ICMPV6_MGM_REPORT:
> >  	    {
> > -		struct mld_msg *mld = (struct mld_msg *)icmp6h;
> > +		struct mld_msg *mld;
> > +		if (!pskb_may_pull(skb2, sizeof(*mld))) {
> > +			err = -EINVAL;
> > +			goto out;
> > +		}
> > +		mld = (struct mld_msg *)icmp6h;
> 
> This (and the second instance) is incorrect afaict -- the pointer
> "icmp6h" should be reloaded after the pskb_may_pull(), no?

mld_msg is bigger than icmp6h by sizeof(in6_addr) so we have to try pull again a bigger chunk. 

> 
> Also, the "out_nopush" thing is pointless since the push is completely
> unnecessary as "skb2 != skb" is always true.

You are right if skb_clone doesn't return the same pointer then yes. Shame, but I'm not a sbk expert. I'm diving into it now.

Thanks
Tomas
---------------------------------------------------------------------
Intel Israel (74) Limited

This e-mail and any attachments may contain confidential material for
the sole use of the intended recipient(s). Any review or distribution
by others is strictly prohibited. If you are not the intended
recipient, please contact the sender and delete all copies.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ