lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Tue, 28 May 2019 23:25:52 +0200
From:   Davide Caratti <dcaratti@...hat.com>
To:     Eric Dumazet <eric.dumazet@...il.com>,
        Cong Wang <xiyou.wangcong@...il.com>,
        Jiri Pirko <jiri@...nulli.us>,
        Jamal Hadi Salim <jhs@...atatu.com>,
        "David S. Miller" <davem@...emloft.net>, netdev@...r.kernel.org
Cc:     shuali@...hat.com, Eli Britstein <elibr@...lanox.com>
Subject: Re: [PATCH net] net/sched: act_pedit: fix 'ex munge' on network
 header in case of QinQ packet

hi Eric, thanks for looking at this!

On Tue, 2019-05-28 at 14:02 -0700, Eric Dumazet wrote:
> 
> On 5/28/19 1:50 PM, Davide Caratti wrote:
> > +				vlan = (struct vlan_hdr *)skb->data;
> > +				protocol = vlan->h_vlan_encapsulated_proto;
> > +				skb_pull(skb, VLAN_HLEN);
> > +				skb_reset_network_header(skb);
> > +				(*vlan_hdr_count)++;
> > +			}
> > +			goto again;
> 
> What prevents this loop to access data not yet in skb->head ?

just luck.

'pedit' does skb_header_pointer() later on, when it writes in the packet.
But indeed, there is no guarantee that all the nested vlan headers are in
the linear area of the packet. 

Looking at 2ecba2d1e45b and current act_csum.c, probably also tcf_csum_act()
needs the same check: I will try a patch for that tomorrow.

> skb_header_pointer() (or pskb_may_pull()) seems needed.

pskb_may_pull(), with proper error handling, seems better to me. 
regards,
-- 
davide

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ