[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3905046.1695031382@warthog.procyon.org.uk>
Date: Mon, 18 Sep 2023 11:03:02 +0100
From: David Howells <dhowells@...hat.com>
To: Eric Dumazet <edumazet@...gle.com>
Cc: dhowells@...hat.com,
syzbot <syzbot+62cbf263225ae13ff153@...kaller.appspotmail.com>,
bpf@...r.kernel.org, davem@...emloft.net, dsahern@...nel.org,
kuba@...nel.org, linux-kernel@...r.kernel.org,
netdev@...r.kernel.org, pabeni@...hat.com,
syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [net?] WARNING in __ip6_append_data
David Howells <dhowells@...hat.com> wrote:
> I think the attached is probably an equivalent cleaned up reproducer. Note
> that if the length given to sendfile() is less than 65536, it fails with
> EINVAL before it gets into __ip6_append_data().
Actually, it only fails with EINVAL if the size is not a multiple of the block
size of the source file because it's open O_DIRECT so, say, 65536-512 is fine
(and works).
But thinking more on this further, is this even a bug in my code, I wonder?
The length passed is 65536 - but a UDP packet can't carry that, so it
shouldn't it have errored out before getting that far? (which is what it
seems to do when I try it).
I don't see how we get past the length check in ip6_append_data() with the
reproducer we're given unless the MTU is somewhat bigger than 65536 (is that
even possible?)
David
Powered by blists - more mailing lists