| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 28 Sep 2011 14:32:13 -0400 (EDT) From: David Miller <davem@...emloft.net> To: eric.dumazet@...il.com Cc: jasowang@...hat.com, netdev@...r.kernel.org, linux-kernel@...r.kernel.org, gregkh@...e.de, stable@...nel.org, mst@...hat.com, akong@...hat.com Subject: Re: Possible NULL dereference caused by -stable commit ef81bb40bf15f350fe865f31fa42f1082772a576 From: Eric Dumazet <eric.dumazet@...il.com> Date: Wed, 28 Sep 2011 14:09:09 +0200 > 1) Discussion on current kernel : > > All we need here is not the route but inet_peer, so that inet_getid() > can be called on it. > > If no route is given to ipv6_select_ident(), at least we can try to get > inet_peer, and release it before exiting from ipv6_select_ident() Ok, after some auditing, there is only one call site of ipv6_select_ident() that can happen with a NULL route and that is udp6_ufo_fragment(). ipv6_gso_segment() already walks the extension headers via ipv6_gso_pull_exthdrs() so maybe we can calculate the true destination address there and get that passed down somehow into the fragment ID selection for an inetpeer lookup. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists