| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20191113192912.17546-2-andrea.mayer@uniroma2.it>
Date: Wed, 13 Nov 2019 20:29:10 +0100
From: Andrea Mayer <andrea.mayer@...roma2.it>
To: "David S. Miller" <davem@...emloft.net>,
Alexey Kuznetsov <kuznet@....inr.ac.ru>,
Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>,
David Lebrun <dav.lebrun@...il.com>, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org
Cc: Andrea Mayer <andrea.mayer@...roma2.it>
Subject: [net-next, 1/3] seg6: verify srh pointer in get_srh()
pskb_may_pull may change pointers in header. For this reason, it is
mandatory to reload any pointer that points into skb header.
Signed-off-by: Andrea Mayer <andrea.mayer@...roma2.it>
---
net/ipv6/seg6_local.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/net/ipv6/seg6_local.c b/net/ipv6/seg6_local.c
index 9d4f75e0d33a..e187dec2eed1 100644
--- a/net/ipv6/seg6_local.c
+++ b/net/ipv6/seg6_local.c
@@ -75,12 +75,16 @@ static struct ipv6_sr_hdr *get_srh(struct sk_buff *skb)
return NULL;
srh = (struct ipv6_sr_hdr *)(skb->data + srhoff);
-
len = (srh->hdrlen + 1) << 3;
if (!pskb_may_pull(skb, srhoff + len))
return NULL;
+ /* note that pskb_may_pull may change pointers in header;
+ * for this reason it is necessary to reload them when needed.
+ */
+ srh = (struct ipv6_sr_hdr *)(skb->data + srhoff);
+
if (!seg6_validate_srh(srh, len))
return NULL;
--
2.20.1
Powered by blists - more mailing lists