| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20190403053416.GA21913@kadam>
Date: Wed, 3 Apr 2019 08:34:16 +0300
From: Dan Carpenter <dan.carpenter@...cle.com>
To: Alexander Aring <alex.aring@...il.com>
Cc: Jukka Rissanen <jukka.rissanen@...ux.intel.com>,
"David S. Miller" <davem@...emloft.net>,
linux-bluetooth@...r.kernel.org, linux-wpan@...r.kernel.org,
netdev@...r.kernel.org, kernel-janitors@...r.kernel.org
Subject: [PATCH net] 6lowpan: Off by one handling ->nexthdr
NEXTHDR_MAX is 255. What happens here is that we take a u8 value
"hdr->nexthdr" from the network and then look it up in
lowpan_nexthdr_nhcs[]. The problem is that if hdr->nexthdr is 0xff then
we read one element beyond the end of the array so the array needs to
be one element larger.
Fixes: 92aa7c65d295 ("6lowpan: add generic nhc layer interface")
Signed-off-by: Dan Carpenter <dan.carpenter@...cle.com>
---
This is the only place which uses the NEXTHDR_MAX define, so I considered
changing that to 256 instead. Either fix would work.
net/6lowpan/nhc.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/net/6lowpan/nhc.c b/net/6lowpan/nhc.c
index 4fa2fdda174d..9e56fb98f33c 100644
--- a/net/6lowpan/nhc.c
+++ b/net/6lowpan/nhc.c
@@ -18,7 +18,7 @@
#include "nhc.h"
static struct rb_root rb_root = RB_ROOT;
-static struct lowpan_nhc *lowpan_nexthdr_nhcs[NEXTHDR_MAX];
+static struct lowpan_nhc *lowpan_nexthdr_nhcs[NEXTHDR_MAX + 1];
static DEFINE_SPINLOCK(lowpan_nhc_lock);
static int lowpan_nhc_insert(struct lowpan_nhc *nhc)
--
2.17.1
Powered by blists - more mailing lists