netdev
[Top] [All Lists]

Re: Fw: [Bug 4279] New: When I try to start vpnc the net/core/skbuff.c:9

To: "David S. Miller" <davem@xxxxxxxxxxxxx>
Subject: Re: Fw: [Bug 4279] New: When I try to start vpnc the net/core/skbuff.c:91 crash
From: Patrick McHardy <kaber@xxxxxxxxx>
Date: Fri, 11 Mar 2005 06:03:14 +0100
Cc: maxk@xxxxxxxxxxxx, shemminger@xxxxxxxx, netdev@xxxxxxxxxxx
In-reply-to: <20050310192023.1270fef6.davem@xxxxxxxxxxxxx>
References: <20050303095832.6a084856@xxxxxxxxxxxxxxxxx> <4228A354.8020904@xxxxxxxxxxxx> <4228AD8F.4020000@xxxxxxxxx> <20050310192023.1270fef6.davem@xxxxxxxxxxxxx>
Sender: netdev-bounce@xxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.5) Gecko/20050106 Debian/1.7.5-1
David S. Miller wrote:
This check is wrong, gcc optimizes it away:

               if ((len -= sizeof(pi)) > len)
                        return -EINVAL;

This could be responsible for the BUG. If len is 2 or 3 and TUN_NO_PI
isn't set it underflows. alloc_skb() allocates len + 2, which is 0 or
1 byte. skb_reserve tries to reserve 2 bytes and things explode in
skb_put.

Good catch Patrick.

Patch applied, thanks.

The patch is also needed (and applies with fuzz) for 2.4.

Regards
Patrick



<Prev in Thread] Current Thread [Next in Thread>