lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 2 Apr 2012 11:45:05 +0800 From: Changli Gao <xiaosuo@...il.com> To: David Miller <davem@...emloft.net> Cc: eric.dumazet@...il.com, kaber@...sh.net, pablo@...filter.org, netfilter-devel@...r.kernel.org, netdev@...r.kernel.org Subject: Re: [PATCH] net: check the length of the data before dereferencing it On Mon, Apr 2, 2012 at 11:29 AM, David Miller <davem@...emloft.net> wrote: > > Tag Eric, you're it. > > You ACK'd this patch, so you get to show how this is actually able > to cause some kind of problem. > > I assert that this is adding a useless test, that doesn't fix any kind > of possible crash or misbehavior. If length == 1 at the default:, the > code will absolutely do the right thing. > > Prove me wrong. Thinking about a malformed tcp segment, which has no data but silly options, and whose last byte is neither TCPOPT_EOL or TCPOPT_NOP, we will try to dereference one byte over the boundary when parsing the options. I know we have skb_shared_info at the end and it won't cause any crash, but should we rely on this fact? -- Regards, Changli Gao(xiaosuo@...il.com) -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists