xfrm6: Fix ICMPv6 and MH header checks in _decode_session6 - linux - Linux Kernel (branches are rebased on master from time to time)

diff options

author	Mathias Krause <mathias.krause@secunet.com>	2015-09-11 09:57:20 +0200
committer	Steffen Klassert <steffen.klassert@secunet.com>	2015-09-14 10:53:05 +0200
commit	04a6b8bfee06e309be7e9ae4527cdab19c081761 (patch)
tree	82e72d3ed231222243487b575887c2b974025a6d /net/xfrm
parent	93efac3f2e03321129de67a3c0ba53048bb53e31 (diff)
download	linux-04a6b8bfee06e309be7e9ae4527cdab19c081761.tar.bz2

xfrm6: Fix ICMPv6 and MH header checks in _decode_session6

Ensure there's enough data left prior calling pskb_may_pull(). If skb->data was already advanced, we'll call pskb_may_pull() with a negative value converted to unsigned int -- leading to a huge positive value. That won't matter in practice as pskb_may_pull() will likely fail in this case, but it leads to underflow reports on kernels handling such kind of over-/underflows, e.g. a PaX enabled kernel instrumented with the size_overflow plugin. Reported-by: satmd <satmd@lain.at> Reported-and-tested-by: Marcin Jurkowski <marcin1j@gmail.com> Signed-off-by: Mathias Krause <mathias.krause@secunet.com> Cc: PaX Team <pageexec@freemail.hu> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

Diffstat (limited to 'net/xfrm')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: