Message ID | 1405919862.10255.109.camel@edumazet-glaptop2.roam.corp.google.com |
---|---|
State | Accepted, archived |
Delegated to: | David Miller |
Headers | show |
From: Eric Dumazet <eric.dumazet@gmail.com> Date: Mon, 21 Jul 2014 07:17:42 +0200 > From: Eric Dumazet <edumazet@google.com> > > There is a benign buffer overflow in ip_options_compile spotted by > AddressSanitizer[1] : > > Its benign because we always can access one extra byte in skb->head > (because header is followed by struct skb_shared_info), and in this case > this byte is not even used. ... > [1] https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel > > Signed-off-by: Eric Dumazet <edumazet@google.com> Right, should be benign, but I will queue it up to -stable anyways just to be safe. Applied, thanks a lot Eric. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/ipv4/ip_options.c b/net/ipv4/ip_options.c index 5e7aecea05cd..ad382499bace 100644 --- a/net/ipv4/ip_options.c +++ b/net/ipv4/ip_options.c @@ -288,6 +288,10 @@ int ip_options_compile(struct net *net, optptr++; continue; } + if (unlikely(l < 2)) { + pp_ptr = optptr; + goto error; + } optlen = optptr[1]; if (optlen < 2 || optlen > l) { pp_ptr = optptr;