lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 15 Aug 2020 04:44:31 -0400 From: Miaohe Lin <linmiaohe@...wei.com> To: <davem@...emloft.net>, <kuba@...nel.org>, <pshelar@....org>, <fw@...len.de>, <martin.varghese@...ia.com>, <edumazet@...gle.com>, <dcaratti@...hat.com>, <steffen.klassert@...unet.com>, <pabeni@...hat.com>, <shmulik@...anetworks.com>, <kyk.segfault@...il.com>, <jiri@...lanox.com>, <vyasevic@...hat.com> CC: <netdev@...r.kernel.org>, <linux-kernel@...r.kernel.org>, <linmiaohe@...wei.com> Subject: [PATCH] net: Fix potential wrong skb->protocol in skb_vlan_untag() We may access the two bytes after vlan_hdr in vlan_set_encap_proto(). So we should pull VLAN_HLEN + sizeof(unsigned short) in skb_vlan_untag() or we may access the wrong data. Fixes: 0d5501c1c828 ("net: Always untag vlan-tagged traffic on input.") Signed-off-by: Miaohe Lin <linmiaohe@...wei.com> --- net/core/skbuff.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/core/skbuff.c b/net/core/skbuff.c index 7e2e502ef519..5c3b906aeef3 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -5418,8 +5418,8 @@ struct sk_buff *skb_vlan_untag(struct sk_buff *skb) skb = skb_share_check(skb, GFP_ATOMIC); if (unlikely(!skb)) goto err_free; - - if (unlikely(!pskb_may_pull(skb, VLAN_HLEN))) + /* We may access the two bytes after vlan_hdr in vlan_set_encap_proto(). */ + if (unlikely(!pskb_may_pull(skb, VLAN_HLEN + sizeof(unsigned short)))) goto err_free; vhdr = (struct vlan_hdr *)skb->data; -- 2.19.1
Powered by blists - more mailing lists