lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <f921c3efbc3f0266e49a840962816a52e5bcfaf2.camel@redhat.com> Date: Tue, 28 May 2019 23:25:52 +0200 From: Davide Caratti <dcaratti@...hat.com> To: Eric Dumazet <eric.dumazet@...il.com>, Cong Wang <xiyou.wangcong@...il.com>, Jiri Pirko <jiri@...nulli.us>, Jamal Hadi Salim <jhs@...atatu.com>, "David S. Miller" <davem@...emloft.net>, netdev@...r.kernel.org Cc: shuali@...hat.com, Eli Britstein <elibr@...lanox.com> Subject: Re: [PATCH net] net/sched: act_pedit: fix 'ex munge' on network header in case of QinQ packet hi Eric, thanks for looking at this! On Tue, 2019-05-28 at 14:02 -0700, Eric Dumazet wrote: > > On 5/28/19 1:50 PM, Davide Caratti wrote: > > + vlan = (struct vlan_hdr *)skb->data; > > + protocol = vlan->h_vlan_encapsulated_proto; > > + skb_pull(skb, VLAN_HLEN); > > + skb_reset_network_header(skb); > > + (*vlan_hdr_count)++; > > + } > > + goto again; > > What prevents this loop to access data not yet in skb->head ? just luck. 'pedit' does skb_header_pointer() later on, when it writes in the packet. But indeed, there is no guarantee that all the nested vlan headers are in the linear area of the packet. Looking at 2ecba2d1e45b and current act_csum.c, probably also tcf_csum_act() needs the same check: I will try a patch for that tomorrow. > skb_header_pointer() (or pskb_may_pull()) seems needed. pskb_may_pull(), with proper error handling, seems better to me. regards, -- davide
Powered by blists - more mailing lists