On Sun, 2015-10-11 at 23:17 +0100, Ben Cox wrote: > Forgive me for possibly being a little stupid here (This is my first > patch to Linux so I am slightly over my head) > > Is this issue not addressed above the file where the following check is done? > > if (iphlen > length) > goto error_free; >
Imagine someone sends a frame, pretending it is ICMP, but containing only the IPv4 header. And not a _single_ byte more. length = 20 iphlen = 20 (if say ihl == 5) We copied 20 bytes from user land. But your code reads 21th byte. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html