On Fri, Sep 11, 2015 at 09:57:20AM +0200, Mathias Krause wrote: > From: Mathias Krause <mathias.kra...@secunet.com> > > Ensure there's enough data left prior calling pskb_may_pull(). If > skb->data was already advanced, we'll call pskb_may_pull() with a > negative value converted to unsigned int -- leading to a huge > positive value. That won't matter in practice as pskb_may_pull() > will likely fail in this case, but it leads to underflow reports on > kernels handling such kind of over-/underflows, e.g. a PaX enabled > kernel instrumented with the size_overflow plugin. > > Reported-by: satmd <sa...@lain.at> > Reported-and-tested-by: Marcin Jurkowski <marci...@gmail.com> > Signed-off-by: Mathias Krause <mathias.kra...@secunet.com> > Cc: PaX Team <pagee...@freemail.hu>
Skipping upper layer informations due to a wrong length calculation, may also leed to incorrect policy lookups. Patch applied to the ipsec tree, thanks! -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
