| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 02 Mar 2018 12:23:17 -0800 From: Eric Dumazet <eric.dumazet@...il.com> To: Lorenzo Bianconi <lorenzo.bianconi@...hat.com>, davem@...emloft.net Cc: netdev@...r.kernel.org, jishi@...hat.com, sbrivio@...hat.com Subject: Re: [PATCH net-next] ipv6: fix access to non-linear packet in ndisc_fill_redirect_hdr_option() On Fri, 2018-03-02 at 11:53 +0100, Lorenzo Bianconi wrote: > Fix the following slab-out-of-bounds kasan report in > ndisc_fill_redirect_hdr_option when the incoming ipv6 packet is not > linear and the accessed data are not in the linear data region of orig_skb > > Reported-by: Jianlin Shi <jishi@...hat.com> > Reviewed-by: Stefano Brivio <sbrivio@...hat.com> > Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@...hat.com> > --- > net/ipv6/ndisc.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c > index 0a19ce3a6f7f..afd8c15827cd 100644 > --- a/net/ipv6/ndisc.c > +++ b/net/ipv6/ndisc.c > @@ -1554,7 +1554,8 @@ static void ndisc_fill_redirect_hdr_option(struct sk_buff *skb, > *(opt++) = (rd_len >> 3); > opt += 6; > > - memcpy(opt, ipv6_hdr(orig_skb), rd_len - 8); > + skb_copy_bits(orig_skb, skb_network_offset(orig_skb), opt, > + rd_len - 8); > } Wow, nice catch ! Reviewed-by: Eric Dumazet <edumazet@...gle.com>
Powered by blists - more mailing lists