Re: [PATCH]: ipv6_skip_exthdr() may refer invalid memory area

To:	davem@xxxxxxxxxx
Subject:	Re: [PATCH]: ipv6_skip_exthdr() may refer invalid memory area
From:	Yasuyuki Kozakai <yasuyuki.kozakai@xxxxxxxxxxxxx>
Date:	Thu, 26 Feb 2004 12:48:31 +0900 (JST)
Cc:	netdev@xxxxxxxxxxx, netfilter-devel@xxxxxxxxxxxxxxxxxxx, usagi-core@xxxxxxxxxxxxxx
In-reply-to:	<20040220093027.2c03f48c.davem@xxxxxxxxxx>
References:	<200402200534.OAA04081@xxxxxxxxxxxxx> <20040220093027.2c03f48c.davem@xxxxxxxxxx>
Sender:	netdev-bounce@xxxxxxxxxxx

To:

davem@xxxxxxxxxx

Subject:

Re: [PATCH]: ipv6_skip_exthdr() may refer invalid memory area

From:

Yasuyuki Kozakai <yasuyuki.kozakai@xxxxxxxxxxxxx>

Date:

Thu, 26 Feb 2004 12:48:31 +0900 (JST)

Cc:

netdev@xxxxxxxxxxx, netfilter-devel@xxxxxxxxxxxxxxxxxxx, usagi-core@xxxxxxxxxxxxxx

In-reply-to:

<20040220093027.2c03f48c.davem@xxxxxxxxxx>

References:

<200402200534.OAA04081@xxxxxxxxxxxxx> <20040220093027.2c03f48c.davem@xxxxxxxxxx>

Sender:

netdev-bounce@xxxxxxxxxxx

Hi,

This patch is for linux 2.4.26-pre1 .

-----------------------------------------------------------------
Yasuyuki KOZAKAI @ USAGI Project <yasuyuki.kozakai@xxxxxxxxxxxxx>


From: "David S. Miller" <davem@xxxxxxxxxx>
Date: Fri, 20 Feb 2004 09:30:27 -0800

> On Fri, 20 Feb 2004 14:33:59 +0900 (JST)
> Yasuyuki Kozakai <yasuyuki.kozakai@xxxxxxxxxxxxx> wrote:
> 
> > ipv6_skip_exthdr() refer invalid memory area in the case
> > that packet includes Fragment Header.
> > 
> > please apply this patch.
> 
> Applied, thank you Yasuyuki-san.

diff -Nur linux-2.4.26-pre1/net/ipv6/exthdrs.c 
linux-2.4.26-pre1-fixed/net/ipv6/exthdrs.c
--- linux-2.4.26-pre1/net/ipv6/exthdrs.c        2003-08-25 20:44:44.000000000 
+0900
+++ linux-2.4.26-pre1-fixed/net/ipv6/exthdrs.c  2004-02-26 10:44:21.000000000 
+0900
@@ -798,8 +798,16 @@
                if (skb_copy_bits(skb, start, &hdr, sizeof(hdr)))
                        BUG();
                if (nexthdr == NEXTHDR_FRAGMENT) {
-                       struct frag_hdr *fhdr = (struct frag_hdr *) &hdr;
-                       if (ntohs(fhdr->frag_off) & ~0x7)
+                       unsigned short frag_off;
+                       if (skb_copy_bits(skb,
+                                         start+offsetof(struct frag_hdr,
+                                                        frag_off),
+                                         &frag_off,
+                                         sizeof(frag_off))) {
+                               return -1;
+                       }
+
+                       if (ntohs(frag_off) & ~0x7)
                                break;
                        hdrlen = 8;
                } else if (nexthdr == NEXTHDR_AUTH)

<Prev in Thread]	Current Thread	[Next in Thread>
[PATCH]: ipv6_skip_exthdr() may refer invalid memory area, Yasuyuki Kozakai Re: [PATCH]: ipv6_skip_exthdr() may refer invalid memory area, David S. Miller Re: [PATCH]: ipv6_skip_exthdr() may refer invalid memory area, Yasuyuki Kozakai <= Re: [PATCH]: ipv6_skip_exthdr() may refer invalid memory area, David S. Miller

<Prev in Thread]

Current Thread

[Next in Thread>

Previous by Date:	Re: [PATCH] proportional share accept(), James Morris
Next by Date:	Re: [PATCH]: invaild TCP/UDP matching when ipv6 extension header exists, Yasuyuki Kozakai
Previous by Thread:	Re: [PATCH]: ipv6_skip_exthdr() may refer invalid memory area, David S. Miller
Next by Thread:	Re: [PATCH]: ipv6_skip_exthdr() may refer invalid memory area, David S. Miller
Indexes:	[Date] [Thread] [Top] [All Lists]

Previous by Date:

Re: [PATCH] proportional share accept(), James Morris

Next by Date:

Re: [PATCH]: invaild TCP/UDP matching when ipv6 extension header exists, Yasuyuki Kozakai

Previous by Thread:

Re: [PATCH]: ipv6_skip_exthdr() may refer invalid memory area, David S. Miller

Next by Thread:

Re: [PATCH]: ipv6_skip_exthdr() may refer invalid memory area, David S. Miller

Indexes:

[Date] [Thread] [Top] [All Lists]