lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <50DA6B0D.6010500@linux-ipv6.org> Date: Wed, 26 Dec 2012 12:12:13 +0900 From: YOSHIFUJI Hideaki <yoshfuji@...ux-ipv6.org> To: "'netdev@...r.kernel.org'" <netdev@...r.kernel.org>, David Miller <davem@...emloft.net> CC: YOSHIFUJI Hideaki <yoshfuji@...ux-ipv6.org>, erdnetdev@...il.com Subject: [PATCH V2] ipv6 mcast: Fix incorrect use of pskb_may_pull(). pskb_may_pull(skb, len) ensures that len bytes from skb->data are available in a linear array. When pskb_may_pull() is being used multiple times for the same buffer without skb_pull(), the length is not accumulated. For example, assuming that we have done: pskb_may_pull(skb, sizeof(struct icmp6hdr)) Here, we have to do: pskb_may_pull(skb, sizeof(struct mld2_query)) instead of: pskb_may_pull(skb, sizeof(struct mld2_query) - sizeof(struct icmp6hdr)) Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@...ux-ipv6.org> --- net/ipv6/mcast.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c index 28dfa5f..5d91832 100644 --- a/net/ipv6/mcast.c +++ b/net/ipv6/mcast.c @@ -1124,7 +1124,7 @@ int igmp6_event_query(struct sk_buff *skb) int mark = 0; int len; - if (!pskb_may_pull(skb, sizeof(struct in6_addr))) + if (!pskb_may_pull(skb, sizeof(struct icmp6hdr) + sizeof(struct in6_addr))) return -EINVAL; /* compute payload length excluding extension headers */ @@ -1165,9 +1165,7 @@ int igmp6_event_query(struct sk_buff *skb) /* clear deleted report items */ mld_clear_delrec(idev); } else if (len >= 28) { - int srcs_offset = sizeof(struct mld2_query) - - sizeof(struct icmp6hdr); - if (!pskb_may_pull(skb, srcs_offset)) + if (!pskb_may_pull(skb, sizeof(struct mld2_query))) return -EINVAL; mlh2 = (struct mld2_query *)skb_transport_header(skb); @@ -1186,8 +1184,9 @@ int igmp6_event_query(struct sk_buff *skb) } /* mark sources to include, if group & source-specific */ if (mlh2->mld2q_nsrcs != 0) { - if (!pskb_may_pull(skb, srcs_offset + - ntohs(mlh2->mld2q_nsrcs) * sizeof(struct in6_addr))) + if (!pskb_may_pull(skb, + sizeof(struct mld2_query) + + ntohs(mlh2->mld2q_nsrcs) * sizeof(struct in6_addr))) return -EINVAL; mlh2 = (struct mld2_query *)skb_transport_header(skb); @@ -1248,7 +1247,7 @@ int igmp6_event_report(struct sk_buff *skb) skb->pkt_type != PACKET_BROADCAST) return 0; - if (!pskb_may_pull(skb, sizeof(*mld) - sizeof(struct icmp6hdr))) + if (!pskb_may_pull(skb, sizeof(*mld))) return -EINVAL; mld = (struct mld_msg *)icmp6_hdr(skb); -- 1.7.9.5 -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists