lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <1356537792.20133.20451.camel@edumazet-glaptop> Date: Wed, 26 Dec 2012 08:03:12 -0800 From: Eric Dumazet <eric.dumazet@...il.com> To: YOSHIFUJI Hideaki <yoshfuji@...ux-ipv6.org> Cc: "'netdev@...r.kernel.org'" <netdev@...r.kernel.org>, David Miller <davem@...emloft.net> Subject: Re: [PATCH V2] ipv6 mcast: Fix incorrect use of pskb_may_pull(). On Wed, 2012-12-26 at 12:12 +0900, YOSHIFUJI Hideaki wrote: > pskb_may_pull(skb, len) ensures that len bytes from skb->data > are available in a linear array. When pskb_may_pull() is > being used multiple times for the same buffer without > skb_pull(), the length is not accumulated. > > For example, assuming that we have done: > pskb_may_pull(skb, sizeof(struct icmp6hdr)) > > Here, we have to do: > pskb_may_pull(skb, sizeof(struct mld2_query)) > instead of: > pskb_may_pull(skb, sizeof(struct mld2_query) - > sizeof(struct icmp6hdr)) > > Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@...ux-ipv6.org> > --- > net/ipv6/mcast.c | 13 ++++++------- > 1 file changed, 6 insertions(+), 7 deletions(-) > > diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c > index 28dfa5f..5d91832 100644 > --- a/net/ipv6/mcast.c > +++ b/net/ipv6/mcast.c > @@ -1124,7 +1124,7 @@ int igmp6_event_query(struct sk_buff *skb) > int mark = 0; > int len; > > - if (!pskb_may_pull(skb, sizeof(struct in6_addr))) > + if (!pskb_may_pull(skb, sizeof(struct icmp6hdr) + sizeof(struct in6_addr))) > return -EINVAL; > I am a bit confused by your patch. igmp6_event_query() is called from icmpv6_rcv() _after_ pskb_pull(skb, sizeof(*hdr); (hdr being struct icmp6hdr) So this patch is wrong IMHO -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists