Gitiles
Code Review Sign In
review.shift-gmbh.com / SHIFTPHONES / kernel / common / cebff3d9f74fe1bb7dab9fb57747d1a5679c5ed3
commitcebff3d9f74fe1bb7dab9fb57747d1a5679c5ed3[log] [tgz]
authorEric Dumazet <edumazet@google.com>Thu Jun 24 03:07:20 2021 -0700
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>Wed Jul 14 16:56:28 2021 +0200
tree7f4bb7c998810ed6ba97536f58868fd01639d028
parent9e753c47b905f068c4477387ff29a4c7124f3e97 [diff]
ipv6: fix out-of-bound access in ip6_parse_tlv()

[ Upstream commit 624085a31c1ad6a80b1e53f686bf6ee92abbf6e8 ]

First problem is that optlen is fetched without checking
there is more than one byte to parse.

Fix this by taking care of IPV6_TLV_PAD1 before
fetching optlen (under appropriate sanity checks against len)

Second problem is that IPV6_TLV_PADN checks of zero
padding are performed before the check of remaining length.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Fixes: c1412fce7ecc ("net/ipv6/exthdrs.c: Strict PadN option checking")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: Tom Herbert <tom@herbertland.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
1 file changed
tree: 7f4bb7c998810ed6ba97536f58868fd01639d028
  1. arch/
  2. block/
  3. certs/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. fs/
  8. include/
  9. init/
  10. ipc/
  11. kernel/
  12. lib/
  13. LICENSES/
  14. mm/
  15. net/
  16. samples/
  17. scripts/
  18. security/
  19. sound/
  20. tools/
  21. usr/
  22. virt/
  23. .clang-format
  24. .cocciconfig
  25. .get_maintainer.ignore
  26. .gitattributes
  27. .gitignore
  28. .mailmap
  29. COPYING
  30. CREDITS
  31. Kbuild
  32. Kconfig
  33. MAINTAINERS
  34. Makefile
  35. README