ipv6: fix ip6_tnl_parse_tlv_enc_lim() - kernel - saturneric's kernel source tree

diff options

author	Eric Dumazet <[email protected]>	2017-01-24 00:43:06 +0000
committer	David S. Miller <[email protected]>	2017-01-24 19:53:24 +0000
commit	fbfa743a9d2a0ffa24251764f10afc13eb21e739 (patch)
tree	391e471dde0dc5afd2f24ab0410d4a2a8761180b /net/tipc/node.c
parent	ip6_tunnel: must reload ipv6h in ip6ip6_tnl_xmit() (diff)
download	kernel-fbfa743a9d2a0ffa24251764f10afc13eb21e739.tar.gz kernel-fbfa743a9d2a0ffa24251764f10afc13eb21e739.zip

ipv6: fix ip6_tnl_parse_tlv_enc_lim()

This function suffers from multiple issues. First one is that pskb_may_pull() may reallocate skb->head, so the 'raw' pointer needs either to be reloaded or not used at all. Second issue is that NEXTHDR_DEST handling does not validate that the options are present in skb->data, so we might read garbage or access non existent memory. With help from Willem de Bruijn. Signed-off-by: Eric Dumazet <[email protected]> Reported-by: Dmitry Vyukov <[email protected]> Cc: Willem de Bruijn <[email protected]> Signed-off-by: David S. Miller <[email protected]>

Diffstat (limited to 'net/tipc/node.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: