Re: [PATCH] ipv6: ensure message length for raw socket is at least sizeof(ipv6hdr)

From: Eric Dumazet
Date: Tue Apr 25 2017 - 14:10:36 EST

Next message: Fabian Frederick: "[PATCH 1/1 linux-next] staging: media: atomisp: kmap() can't fail"
Previous message: Doug Ledford: "Re: [PATCH] IB/iser: fix spelling mistake: "unexepected" -> "unexpected""
In reply to: David Miller: "Re: [PATCH] ipv6: ensure message length for raw socket is at least sizeof(ipv6hdr)"
Next in thread: Alexander Potapenko: "Re: [PATCH] ipv6: ensure message length for raw socket is at least sizeof(ipv6hdr)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Apr 25, 2017 at 10:55 AM, David Miller <davem@xxxxxxxxxxxxx> wrote:
> From: Alexander Potapenko <glider@xxxxxxxxxx>
> Date: Tue, 25 Apr 2017 15:18:27 +0200
>
>> rawv6_send_hdrinc() expects that the buffer copied from the userspace
>> contains the IPv6 header, so if too few bytes are copied parts of the
>> header may remain uninitialized.
>>
>> This bug has been detected with KMSAN.
>>
>> Signed-off-by: Alexander Potapenko <glider@xxxxxxxxxx>
>
> Hmmm, ipv4 seems to lack this check as well.
>
> I think we need to be careful here and fully understand why KMSAN doesn't
> seem to be triggering in the ipv4 case but for ipv6 it is before I apply
> this.

This could be a bug in nf_ct_frag6_gather() missing one pskb_may_pull()

Next message: Fabian Frederick: "[PATCH 1/1 linux-next] staging: media: atomisp: kmap() can't fail"
Previous message: Doug Ledford: "Re: [PATCH] IB/iser: fix spelling mistake: "unexepected" -> "unexpected""
In reply to: David Miller: "Re: [PATCH] ipv6: ensure message length for raw socket is at least sizeof(ipv6hdr)"
Next in thread: Alexander Potapenko: "Re: [PATCH] ipv6: ensure message length for raw socket is at least sizeof(ipv6hdr)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]