| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20130117035652.GB23782@order.stressinduktion.org> Date: Thu, 17 Jan 2013 04:56:52 +0100 From: Hannes Frederic Sowa <hannes@...essinduktion.org> To: netdev@...r.kernel.org Subject: [PATCH] ipv6: check if dereference of ipv6 header is safe When ipip6_rcv gets called we are sure that we have a full blown ipv4 packet header in the linear skb buffer (this is checked by xfrm4_mode_tunnel_input). Because we dereference fields of the inner ipv6 header we should actually check for the length of the sum of the ipv4 and ipv6 header. If the skb is too short this packet could very well be destined for another tunnel. So we should notify the caller accordingly (albeit currently xfrm4_mode_tunnel_input does not care; this could need another patch). Signed-off-by: Hannes Frederic Sowa <hannes@...essinduktion.org> --- net/ipv6/sit.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c index 2b4c15a..389d6e3 100644 --- a/net/ipv6/sit.c +++ b/net/ipv6/sit.c @@ -612,8 +612,8 @@ static int ipip6_rcv(struct sk_buff *skb) struct ip_tunnel *tunnel; int err; - if (!pskb_may_pull(skb, sizeof(struct ipv6hdr))) - goto out; + if (!pskb_may_pull(skb, sizeof(struct iphdr) + sizeof(struct ipv6hdr))) + return 1; iph = ip_hdr(skb); -- 1.7.11.7 -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists