| To: | netdev@xxxxxxxxxxx |
|---|---|
| Subject: | [PATCH]: ipv6_skip_exthdr() may refer invalid memory area |
| From: | Yasuyuki Kozakai <yasuyuki.kozakai@xxxxxxxxxxxxx> |
| Date: | Fri, 20 Feb 2004 14:33:59 +0900 (JST) |
| Cc: | netfilter-devel@xxxxxxxxxxxxxxxxxxx, usagi-core@xxxxxxxxxxxxxx |
| Sender: | netdev-bounce@xxxxxxxxxxx |
Hello, ipv6_skip_exthdr() refer invalid memory area in the case that packet includes Fragment Header. please apply this patch. Regards, ----------------------------------------------------------------- Yasuyuki KOZAKAI @ USAGI Project <yasuyuki.kozakai@xxxxxxxxxxxxx> diff -Nur linux-2.6.3/net/ipv6/exthdrs.c linux-2.6.3-fixed/net/ipv6/exthdrs.c
--- linux-2.6.3/net/ipv6/exthdrs.c 2004-02-18 12:57:13.000000000 +0900
+++ linux-2.6.3-fixed/net/ipv6/exthdrs.c 2004-02-19 18:04:59.000000000
+0900
@@ -709,8 +709,16 @@
if (skb_copy_bits(skb, start, &hdr, sizeof(hdr)))
BUG();
if (nexthdr == NEXTHDR_FRAGMENT) {
- struct frag_hdr *fhdr = (struct frag_hdr *) &hdr;
- if (ntohs(fhdr->frag_off) & ~0x7)
+ unsigned short frag_off;
+ if (skb_copy_bits(skb,
+ start+offsetof(struct frag_hdr,
+ frag_off),
+ &frag_off,
+ sizeof(frag_off))) {
+ return -1;
+ }
+
+ if (ntohs(frag_off) & ~0x7)
break;
hdrlen = 8;
} else if (nexthdr == NEXTHDR_AUTH)
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| ||
| Previous by Date: | Re: [PATCH] Add C99 initializers to ethtool.c, Jeff Garzik |
|---|---|
| Next by Date: | Re: [PATCH]: invaild TCP/UDP matching when ipv6 extension header exists, Yasuyuki Kozakai |
| Previous by Thread: | [PATCH] horizon: make reset function not __init, Randy.Dunlap |
| Next by Thread: | Re: [PATCH]: ipv6_skip_exthdr() may refer invalid memory area, David S. Miller |
| Indexes: | [Date] [Thread] [Top] [All Lists] |