| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1459195654.6473.122.camel@edumazet-glaptop3.roam.corp.google.com> Date: Mon, 28 Mar 2016 13:07:34 -0700 From: Eric Dumazet <eric.dumazet@...il.com> To: David Miller <davem@...emloft.net> Cc: kadlec@...ckhole.kfki.hu, sploving1@...il.com, pablo@...filter.org, kaber@...sh.net, netfilter-devel@...r.kernel.org, netdev@...r.kernel.org Subject: Re: BUG: net/netfilter: KASAN: stack-out-of-bounds in tcp_packet On Mon, 2016-03-28 at 15:29 -0400, David Miller wrote: > From: Jozsef Kadlecsik <kadlec@...ckhole.kfki.hu> > Date: Mon, 28 Mar 2016 18:48:51 +0200 (CEST) > > >> > > @@ -3716,6 +3716,8 @@ void tcp_parse_options(const struct sk_buff *skb, > >> > > length--; > >> > > continue; > >> > > default: > >> > > + if (length < 2) > >> > > + return; > >> > > opsize = *ptr++; > >> > > if (opsize < 2) /* "silly options" */ > >> > > return; > > I'm trying to figure out how this can even matter. > > If we are in the loop, length is at least one. > > That means it is legal to read the opsize byte. > > By the next check, opsize is at least 2. > > And then the very next line in this code makes sure length >= opsize: > > if (opsize > length) > return; /* don't parse partial options */ > > Therefore no out-of-range access is possible as far as I can see. Maybe use kasan_disable_current() and kasan_enable_current() to silence kasan ? Oh wait, these are not BH safe.
Powered by blists - more mailing lists