Re: [PATCH] net: Fix potential out of bound write in skb_try_coalesce()

From: Eric Dumazet
Date: Tue Aug 04 2020 - 10:35:57 EST

Next message: Coly Li: "Re: [PATCH] block: tolerate 0 byte discard_granularity in __blkdev_issue_discard()"
Previous message: peterz: "Re: [RFC PATCH 1/2] sched: Fix exit_mm vs membarrier"
In reply to: linmiaohe: "[PATCH] net: Fix potential out of bound write in skb_try_coalesce()"
Next in thread: linmiaohe: "Re: [PATCH] net: Fix potential out of bound write in skb_try_coalesce()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Aug 4, 2020 at 4:46 AM linmiaohe <linmiaohe@xxxxxxxxxx> wrote:
>
> From: Miaohe Lin <linmiaohe@xxxxxxxxxx>
>
> The head_frag of skb would occupy one extra skb_frag_t. Take it into
> account or out of bound write to skb frags may happen.
>
> Signed-off-by: Miaohe Lin <linmiaohe@xxxxxxxxxx>

Please share a stack trace if this was a real bug spotted in the wild.

I do not believe this patch is correct.

if (A + B >= MAX) is equivalent to if (A + B + 1 > MAX)

Note how the other condition (when there is no bytes in skb header) is coded :

if (A + B > MAX) return false;

In anycase, please always provide a Fixes: tag for any bug fix.

Thanks.

Next message: Coly Li: "Re: [PATCH] block: tolerate 0 byte discard_granularity in __blkdev_issue_discard()"
Previous message: peterz: "Re: [RFC PATCH 1/2] sched: Fix exit_mm vs membarrier"
In reply to: linmiaohe: "[PATCH] net: Fix potential out of bound write in skb_try_coalesce()"
Next in thread: linmiaohe: "Re: [PATCH] net: Fix potential out of bound write in skb_try_coalesce()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]