| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAM_iQpX1at1w=3OfRFchn3STTDJGXj640tGetxXToR=EyddpEw@mail.gmail.com>
Date: Sun, 27 Nov 2016 21:39:33 -0800
From: Cong Wang <xiyou.wangcong@...il.com>
To: Amir Vadai <amir@...ai.me>
Cc: "David S. Miller" <davem@...emloft.net>,
Linux Kernel Network Developers <netdev@...r.kernel.org>,
Jamal Hadi Salim <jhs@...atatu.com>,
Or Gerlitz <ogerlitz@...lanox.com>,
Hadar Har-Zion <hadarh@...lanox.com>,
Jiri Pirko <jiri@...lanox.com>
Subject: Re: [PATCH net] net/sched: act_pedit: limit negative offset
On Sun, Nov 27, 2016 at 7:58 AM, Amir Vadai <amir@...ai.me> wrote:
> Should not allow setting a negative offset that goes below the skb head.
...
> diff --git a/net/sched/act_pedit.c b/net/sched/act_pedit.c
> index b54d56d4959b..e79e8a88f2d2 100644
> --- a/net/sched/act_pedit.c
> +++ b/net/sched/act_pedit.c
> @@ -154,8 +154,11 @@ static int tcf_pedit(struct sk_buff *skb, const struct tc_action *a,
> }
>
> ptr = skb_header_pointer(skb, off + offset, 4, &_data);
> - if (!ptr)
> + if ((unsigned char *)ptr < skb->head) {
ptr returned could be &_data, which is on stack, so why this comparison
makes sense for this case?
> + pr_info("tc filter pedit offset out of bounds\n");
> goto bad;
> + }
> +
> /* just do it, baby */
> *ptr = ((*ptr & tkey->mask) ^ tkey->val);
> if (ptr == &_data)
> --
> 2.10.2
>
Powered by blists - more mailing lists