On Wed, Mar 06, 2019 at 12:35:43PM +0100, Steffen Klassert wrote:
> On Wed, Mar 06, 2019 at 04:33:08PM +0900, Myungho Jung wrote:
> > In esp4_gro_receive() and esp6_gro_receive(), secpath can be allocated
> > without adding xfrm state to xvec. Then, sp->xvec[sp->len - 1] would
> > fail and result i
On Wed, Mar 06, 2019 at 04:33:08PM +0900, Myungho Jung wrote:
> In esp4_gro_receive() and esp6_gro_receive(), secpath can be allocated
> without adding xfrm state to xvec. Then, sp->xvec[sp->len - 1] would
> fail and result in dereferencing invalid pointer in esp4_gso_segment()
> and esp6_gso_segme
In esp4_gro_receive() and esp6_gro_receive(), secpath can be allocated
without adding xfrm state to xvec. Then, sp->xvec[sp->len - 1] would
fail and result in dereferencing invalid pointer in esp4_gso_segment()
and esp6_gso_segment(). Reset secpath if xfrm function returns error.
Reported-by: syzb
3 matches
Mail list logo
