ipv6: fix ip6_tnl_parse_tlv_enc_lim() - xavi/android_kernel_m2note - Unnamed repository; edit this file 'description' to name the repository.

diff options

author	Eric Dumazet <edumazet@google.com>	2017-01-23 16:43:06 -0800
committer	Moyster <oysterized@gmail.com>	2017-06-17 16:10:48 +0200
commit	1fb35fa4a1b3ce0a3975d81f82435339a5ded9d9 (patch)
tree	06f06d85f4b95aff03610801db167b80d88a9dda /include/linux
parent	1a0da808a2dba774df573aca5d85514d9f653b46 (diff)

ipv6: fix ip6_tnl_parse_tlv_enc_lim()

commit fbfa743a9d2a0ffa24251764f10afc13eb21e739 upstream. This function suffers from multiple issues. First one is that pskb_may_pull() may reallocate skb->head, so the 'raw' pointer needs either to be reloaded or not used at all. Second issue is that NEXTHDR_DEST handling does not validate that the options are present in skb->data, so we might read garbage or access non existent memory. With help from Willem de Bruijn. Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: Dmitry Vyukov <dvyukov@google.com> Cc: Willem de Bruijn <willemb@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Willy Tarreau <w@1wt.eu>

Diffstat (limited to 'include/linux')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: