| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1389743541.31367.279.camel@edumazet-glaptop2.roam.corp.google.com> Date: Tue, 14 Jan 2014 15:52:21 -0800 From: Eric Dumazet <eric.dumazet@...il.com> To: David Miller <davem@...emloft.net> Cc: netdev <netdev@...r.kernel.org> Subject: [BUG] eth_type_trans() can access stale data Following code : if (unlikely(skb->len >= 2 && *(unsigned short *)(skb->data) == 0xFFFF)) return htons(ETH_P_802_3); expects the additional bytes are in skb->head I do not think all eth_type_trans() are ready for a pskb_may_pull() (I am too lazy to perform a whole check) Would following workaround be OK ? diff --git a/net/ethernet/eth.c b/net/ethernet/eth.c index 8f032bae60ad..d95403098f09 100644 --- a/net/ethernet/eth.c +++ b/net/ethernet/eth.c @@ -194,7 +194,8 @@ __be16 eth_type_trans(struct sk_buff *skb, struct net_device *dev) * layer. We look for FFFF which isn't a used 802.2 SSAP/DSAP. This * won't work for fault tolerant netware but does for the rest. */ - if (unlikely(skb->len >= 2 && *(unsigned short *)(skb->data) == 0xFFFF)) + if (unlikely(skb_headlen(skb) >= 2 && + *(unsigned short *)(skb->data) == 0xFFFF)) return htons(ETH_P_802_3); /* -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists