| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <f921c3efbc3f0266e49a840962816a52e5bcfaf2.camel@redhat.com>
Date: Tue, 28 May 2019 23:25:52 +0200
From: Davide Caratti <dcaratti@...hat.com>
To: Eric Dumazet <eric.dumazet@...il.com>,
Cong Wang <xiyou.wangcong@...il.com>,
Jiri Pirko <jiri@...nulli.us>,
Jamal Hadi Salim <jhs@...atatu.com>,
"David S. Miller" <davem@...emloft.net>, netdev@...r.kernel.org
Cc: shuali@...hat.com, Eli Britstein <elibr@...lanox.com>
Subject: Re: [PATCH net] net/sched: act_pedit: fix 'ex munge' on network
header in case of QinQ packet
hi Eric, thanks for looking at this!
On Tue, 2019-05-28 at 14:02 -0700, Eric Dumazet wrote:
>
> On 5/28/19 1:50 PM, Davide Caratti wrote:
> > + vlan = (struct vlan_hdr *)skb->data;
> > + protocol = vlan->h_vlan_encapsulated_proto;
> > + skb_pull(skb, VLAN_HLEN);
> > + skb_reset_network_header(skb);
> > + (*vlan_hdr_count)++;
> > + }
> > + goto again;
>
> What prevents this loop to access data not yet in skb->head ?
just luck.
'pedit' does skb_header_pointer() later on, when it writes in the packet.
But indeed, there is no guarantee that all the nested vlan headers are in
the linear area of the packet.
Looking at 2ecba2d1e45b and current act_csum.c, probably also tcf_csum_act()
needs the same check: I will try a patch for that tomorrow.
> skb_header_pointer() (or pskb_may_pull()) seems needed.
pskb_may_pull(), with proper error handling, seems better to me.
regards,
--
davide
Powered by blists - more mailing lists