From: Herbert Xu <[EMAIL PROTECTED]>
Date: Sun, 06 Jan 2008 11:22:04 +1100
> [IPV4] raw: Strengthen check on validity of iph->ihl
>
> We currently check that iph->ihl is bounded by the real length and that
> the real length is greater than the minimum IP header length. However,
> we did not che
On Sun, Jan 06, 2008 at 02:02:14AM +, Al Viro wrote:
>
> E.g. what about ipt_REJECT.c::send_reset()? Or myri10ge_get_frag_header()?
Yes both look wrong.
Patrick, please have a look at the former. In fact it's not just
that ihl may be bogus (which might be harmless as long as the REJECT
hoo
On Sun, Jan 06, 2008 at 11:22:04AM +1100, Herbert Xu wrote:
> Actually if you read the code for ip_fast_csum it's obvious what has
> happened. %o1 == iph->ihl contains the value 2 which is bogus.
>
> [IPV4] raw: Strengthen check on validity of iph->ihl
>
> We currently check that iph->ihl is bo
On Sun, Jan 06, 2008 at 01:57:13AM +0100, Jan Engelhardt wrote:
>
> >@@ -304,7 +305,8 @@ static int raw_send_hdrinc(struct sock *sk, void *from,
> >size_t length,
> > goto error_fault;
> >
> > /* We don't modify invalid header */
> >-if (length >= sizeof(*iph) && iph->ihl * 4U
On Jan 6 2008 11:22, Herbert Xu wrote:
>@@ -271,6 +271,7 @@ static int raw_send_hdrinc(struct sock *sk, void *from,
>size_t length,
> int hh_len;
> struct iphdr *iph;
> struct sk_buff *skb;
>+ unsigned int iphlen;
> int err;
>
> if (length > rt->u.dst.dev->mtu)
Al Viro <[EMAIL PROTECTED]> wrote:
>
> ip_fast_csum() called from raw_send_hdrinc() from raw_sendmsg() ran through
> the page boundary into unmapped page... Bloody odd, that, seeing that
> we have checked iph->ihl * 4U <= length and had done
>err = memcpy_fromiovecend((void *)iph, from, 0
On Fri, Jan 04, 2008 at 06:37:36PM +0100, Mariusz Kozlowski wrote:
> Hello,
>
> This comes from the Linus latest linux-2.6 tree. Randomly happened.
> Can't reproduce that. More info below.
ip_fast_csum() called from raw_send_hdrinc() from raw_sendmsg() ran through
the page boundary into u