| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1596541698-18938-1-git-send-email-linmiaohe@huawei.com>
Date: Tue, 4 Aug 2020 19:48:18 +0800
From: linmiaohe <linmiaohe@...wei.com>
To: <davem@...emloft.net>, <kuba@...nel.org>, <pshelar@....org>,
<fw@...len.de>, <martin.varghese@...ia.com>, <willemb@...gle.com>,
<edumazet@...gle.com>, <dcaratti@...hat.com>,
<steffen.klassert@...unet.com>, <pabeni@...hat.com>,
<shmulik@...anetworks.com>, <kyk.segfault@...il.com>
CC: <netdev@...r.kernel.org>, <linux-kernel@...r.kernel.org>,
<linmiaohe@...wei.com>
Subject: [PATCH] net: Fix potential out of bound write in skb_try_coalesce()
From: Miaohe Lin <linmiaohe@...wei.com>
The head_frag of skb would occupy one extra skb_frag_t. Take it into
account or out of bound write to skb frags may happen.
Signed-off-by: Miaohe Lin <linmiaohe@...wei.com>
---
net/core/skbuff.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 8a0c39e4ab0a..b489ba201fac 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -5154,7 +5154,7 @@ bool skb_try_coalesce(struct sk_buff *to, struct sk_buff *from,
unsigned int offset;
if (to_shinfo->nr_frags +
- from_shinfo->nr_frags >= MAX_SKB_FRAGS)
+ from_shinfo->nr_frags + 1 >= MAX_SKB_FRAGS)
return false;
if (skb_head_is_locked(from))
--
2.19.1
Powered by blists - more mailing lists