| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAO9wTFhbK-Ckc3bq9X0qdKiyHVqsQgtzSu4RGzkd1d1aAK0vwg@mail.gmail.com> Date: Tue, 18 Feb 2025 00:57:51 +0530 From: Suchit K <suchitkarunakaran@...il.com> To: Eric Dumazet <edumazet@...gle.com> Cc: netdev@...r.kernel.org, davem@...emloft.net, horms@...nel.org, skhan@...uxfoundation.org, linux-kernel@...r.kernel.org, linux-kernel-mentees@...ts.linux.dev Subject: Re: [PATCH] net: dev_addr_list: add address length validation in __hw_addr_insert function Thank you so much for the feedback. I appreciate your time and effort in reviewing and providing feedback. On Tue, 18 Feb 2025 at 00:51, Eric Dumazet <edumazet@...gle.com> wrote: > > On Mon, Feb 17, 2025 at 8:05 PM Suchit K <suchitkarunakaran@...il.com> wrote: > > > > Hi Eric, > > Thanks for the feedback! I'm new to kernel development and still > > finding my way around. > > I wasn't working from a syzbot report on this one; I was just > > exploring the code and felt there is no parameter validation. I went > > ahead and made this change based on that impression. I realized my > > changelog should have been more generic. Sorry about that. Also since > > it's not based on a syzbot report, is it good to have this change? > > Your insights and suggestions would be most welcome. I will make the > > required changes accordingly. > > Thanks. > > I think these checks are not necessary. > > 1) The caller (dev_addr_mod) provides non NULL pointers, > there is no point adding tests, because if one of them was NULL, > a crash would occur before hitting this function. > > 2) Your patch would silently hide a real issue if for some reason > dev->addr_len was too big.
Powered by blists - more mailing lists