| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <ZQFpPuplel7+QZwK@nanopsycho> Date: Wed, 13 Sep 2023 09:48:14 +0200 From: Jiri Pirko <jiri@...nulli.us> To: Sasha Neftin <sasha.neftin@...el.com> Cc: netdev@...r.kernel.org, eranbe@...dia.com, tariqt@...dia.com, kuba@...nel.org, anthony.l.nguyen@...el.com, vinicius.gomes@...el.com Subject: Re: [PATCH net v1 1/1] net/core: Fix ETH_P_1588 flow dissector No need to put "1/1" for a single patch. Wed, Sep 13, 2023 at 08:39:05AM CEST, sasha.neftin@...el.com wrote: >When a PTP ethernet raw frame with a size of more than 256 bytes followed >by a 0xff pattern is sent to __skb_flow_dissect, nhoff value calculation >is wrong. For example: hdr->message_length takes the wrong value (0xffff) >and it does not replicate real header length. In this case, 'nhoff' value >was overridden and the PTP header was badly dissected. This leads to a >kernel crash. > >net/core: flow_dissector >net/core flow dissector nhoff = 0x0000000e >net/core flow dissector hdr->message_length = 0x0000ffff >net/core flow dissector nhoff = 0x0001000d (u16 overflow) >... >skb linear: 00000000: 00 a0 c9 00 00 00 00 a0 c9 00 00 00 88 >skb frag: 00000000: f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff > >Using the size of the ptp_header struct will allow the corrected >calculation of the nhoff value. Should use imperative mood in order to make clear what the patch is doing. Anyway, Reviewed-by: Jiri Pirko <jiri@...dia.com>
Powered by blists - more mailing lists