| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20131105.221025.1890710578395202777.davem@davemloft.net>
Date: Tue, 05 Nov 2013 22:10:25 -0500 (EST)
From: David Miller <davem@...emloft.net>
To: hannes@...essinduktion.org
Cc: Saran.Neti@...us.com, netdev@...r.kernel.org, pshelar@...ira.com,
tsl-vulnerability-research@...us.com
Subject: Re: [PATCH net] ipv6: fix headroom calculation in udp6_ufo_fragment
From: Hannes Frederic Sowa <hannes@...essinduktion.org>
Date: Tue, 5 Nov 2013 02:41:27 +0100
> Commit 1e2bd517c108816220f262d7954b697af03b5f9c ("udp6: Fix udp
> fragmentation for tunnel traffic.") changed the calculation if
> there is enough space to include a fragment header in the skb from a
> skb->mac_header dervived one to skb_headroom. Because we already peeled
> off the skb to transport_header this is wrong. Change this back to check
> if we have enough room before the mac_header.
>
> This fixes a panic Saran Neti reported. He used the tbf scheduler which
> skb_gso_segments the skb. The offsets get negative and we panic in memcpy
> because the skb was erroneously not expanded at the head.
>
> Reported-by: Saran Neti <Saran.Neti@...us.com>
> Cc: Pravin B Shelar <pshelar@...ira.com>
> Signed-off-by: Hannes Frederic Sowa <hannes@...essinduktion.org>
Applied and queued up for -stable, thanks Hannes.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists