/[linux-patches]/genpatches-2.6/tags/2.6.12-12/2125_skb-crash.patch
Gentoo

Contents of /genpatches-2.6/tags/2.6.12-12/2125_skb-crash.patch

Parent Directory Parent Directory | Revision Log Revision Log


Revision 137 - (show annotations) (download)
Tue Aug 9 21:23:12 2005 UTC (13 years, 3 months ago) by dsd
File size: 2232 byte(s)
2.6.12-12 release
1 From: Patrick McHardy <kaber@trash.net>
2 Date: Tue, 5 Jul 2005 21:08:10 +0000 (-0700)
3 Subject: [NET]: Fix signedness issues in net/core/filter.c
4 X-Git-Tag: v2.6.13-rc2
5 X-Git-Url: http://www.kernel.org/git/gitweb.cgi?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=55820ee2f8c767a2833b21bd365e5753f50bd8ce
6
7 [NET]: Fix signedness issues in net/core/filter.c
8
9 This is the code to load packet data into a register:
10
11 k = fentry->k;
12 if (k < 0) {
13 ...
14 } else {
15 u32 _tmp, *p;
16 p = skb_header_pointer(skb, k, 4, &_tmp);
17 if (p != NULL) {
18 A = ntohl(*p);
19 continue;
20 }
21 }
22
23 skb_header_pointer checks if the requested data is within the
24 linear area:
25
26 int hlen = skb_headlen(skb);
27
28 if (offset + len <= hlen)
29 return skb->data + offset;
30
31 When offset is within [INT_MAX-len+1..INT_MAX] the addition will
32 result in a negative number which is <= hlen.
33
34 I couldn't trigger a crash on my AMD64 with 2GB of memory, but a
35 coworker tried on his x86 machine and it crashed immediately.
36
37 This patch fixes the check in skb_header_pointer to handle large
38 positive offsets similar to skb_copy_bits. Invalid data can still
39 be accessed using negative offsets (also similar to skb_copy_bits),
40 anyone using negative offsets needs to verify them himself.
41
42 Thanks to Thomas Vögtle <thomas.voegtle@coreworks.de> for verifying the
43 problem by crashing his machine and providing me with an Oops.
44
45 Signed-off-by: Patrick McHardy <kaber@trash.net>
46 Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
47 Signed-off-by: David S. Miller <davem@davemloft.net>
48 ---
49
50 --- a/include/linux/skbuff.h
51 +++ b/include/linux/skbuff.h
52 @@ -1211,7 +1211,7 @@ static inline void *skb_header_pointer(c
53 {
54 int hlen = skb_headlen(skb);
55
56 - if (offset + len <= hlen)
57 + if (hlen - offset >= len)
58 return skb->data + offset;
59
60 if (skb_copy_bits(skb, offset, buffer, len) < 0)

  ViewVC Help
Powered by ViewVC 1.1.20