| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20131130.161357.1101467615641418549.davem@davemloft.net> Date: Sat, 30 Nov 2013 16:13:57 -0500 (EST) From: David Miller <davem@...emloft.net> To: paul.durrant@...rix.com Cc: xen-devel@...ts.xen.org, netdev@...r.kernel.org, wei.liu2@...rix.com, ian.campbell@...rix.com, david.vrabel@...rix.com Subject: Re: [PATCH net v3] xen-netback: fix fragment detection in checksum setup From: Paul Durrant <paul.durrant@...rix.com> Date: Fri, 29 Nov 2013 10:52:08 +0000 > @@ -1166,15 +1166,27 @@ static int checksum_setup_ip(struct xenvif *vif, struct sk_buff *skb, > struct iphdr *iph = (void *)skb->data; > unsigned int header_size; > unsigned int off; > + bool fragment; > int err = -EPROTO; > > + fragment = false; > + > off = sizeof(struct iphdr); > > header_size = skb->network_header + off + MAX_IPOPTLEN; > maybe_pull_tail(skb, header_size); > > + if (iph->frag_off & htons(IP_OFFSET | IP_MF)) > + fragment = true; This function has a serious problem. maybe_pull_tail() can change skb->data, therefore this "iph" pointer can become invalid, you're essentially dereferencing garbage if maybe_pull_tail() actually does any work. Secondly, do you really (even rate limited) want to span the system log just because some ipv4 fragmented frames end up here? That doesn't make any sense to me. Maybe bump a statistic or something like that, but a log message triggerable by a remote entity? No way. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists