Re: [PATCH] tcp: no md5sig option size check bug

From: David Miller
Date: Sat Aug 07 2010 - 23:24:28 EST

Next message: cyp: "signo issues in arch/x86/kernel/traps.c"
Previous message: Hiroyuki Kamezawa: "Re: [PATCH] cgroup: add missing __percpu markup in mm/memcontrol.c"
In reply to: Dmitry Popov: "[PATCH] tcp: no md5sig option size check bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Dmitry Popov <dp@xxxxxxxxxxxxxxx>
Date: Sat, 7 Aug 2010 23:17:52 +0400

> From: Dmitry Popov <dp@xxxxxxxxxxxxxxx>
>
> tcp_parse_md5sig_option doesn't check md5sig option (TCPOPT_MD5SIG)
> length, but tcp_v[46]_inbound_md5_hash assume that it's at least 16
> bytes long.
>
> Signed-off-by: Dmitry Popov <dp@xxxxxxxxxxxxxxx>

I'll apply this, but the memcmp() we do against this pointer is always
safe because there's at least skb_shared_info()'s worth of valid
memory past skb->data guarenteed at all times which is much larger
than 16 bytes.

So at worst we'd access garbage, but never past a valid piece of
allocated memory.

Thanks.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: cyp: "signo issues in arch/x86/kernel/traps.c"
Previous message: Hiroyuki Kamezawa: "Re: [PATCH] cgroup: add missing __percpu markup in mm/memcontrol.c"
In reply to: Dmitry Popov: "[PATCH] tcp: no md5sig option size check bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]