| To: | yoshfuji@xxxxxxxxxxxxxxxxx (YOSHIFUJI Hideaki / 吉藤英明) |
|---|---|
| Subject: | Re: [SECURITY] Overrun in net/ipv6/exthdrs.c |
| From: | kuznet@xxxxxxxxxxxxx |
| Date: | Thu, 22 Feb 2001 22:23:41 +0300 (MSK) |
| Cc: | netdev@xxxxxxxxxxx |
| In-reply-to: | <20010223012955T.yoshfuji@ecei.tohoku.ac.jp> from "YOSHIFUJI Hideaki / 吉藤英明" at Feb 22, 1 07:45:03 pm |
| Sender: | owner-netdev@xxxxxxxxxxx |
Hello!
> We've found buffer overrun bug while parsing ipv6 extension headers
> in linux2{2,4}/net/ipv6/exthdrs.c.
The patch, which you have sent some time ago (it contained
also some fixes to mld etc.) has been merged. (Sorry, it is still not
in main 2.4.2 tree).
Does this new patch have some differences of older one?
Alexey
PS:
> + if (len < 2)
> + goto bad;
> + optlen = ptr[1]+2;
> + if (len < optlen)
> + goto bad;
The first check is useless, it is identity.
We use the trick that each skb has space of 16 bytes behind
its tail and allow references beyond end of packet to simplify
parsing of objects containing length encoded in the first octets.
objlen = ptr[N];
if (objlen < MIN_OBJLEN || objlen > TRUE_LEN)
parse_error;
is legal.
Alexey
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| ||
| Previous by Date: | Re: [SECURITY] Overrun in ipv4 option parsing (Fw: (usagi-users 00222), kuznet |
|---|---|
| Next by Date: | Re: [OOPS] kernel panic due to bug in tcp_ipv6.c, kuznet |
| Previous by Thread: | [SECURITY] Overrun in net/ipv6/exthdrs.c, YOSHIFUJI Hideaki / 吉藤英明 |
| Next by Thread: | [OOPS] kernel panic due to bug in tcp_ipv6.c, YOSHIFUJI Hideaki / 吉藤英明 |
| Indexes: | [Date] [Thread] [Top] [All Lists] |