Commit 2f3bb642 authored by David Lebrun's avatar David Lebrun Committed by David S. Miller

ipv6: sr: fix out-of-bounds access in SRH validation

This patch fixes an out-of-bounds access in seg6_validate_srh() when the
trailing data is less than sizeof(struct sr6_tlv).
Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
Cc: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: default avatarDavid Lebrun <david.lebrun@uclouvain.be>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent c1f8d0f9
...@@ -53,6 +53,9 @@ bool seg6_validate_srh(struct ipv6_sr_hdr *srh, int len) ...@@ -53,6 +53,9 @@ bool seg6_validate_srh(struct ipv6_sr_hdr *srh, int len)
struct sr6_tlv *tlv; struct sr6_tlv *tlv;
unsigned int tlv_len; unsigned int tlv_len;
if (trailing < sizeof(*tlv))
return false;
tlv = (struct sr6_tlv *)((unsigned char *)srh + tlv_offset); tlv = (struct sr6_tlv *)((unsigned char *)srh + tlv_offset);
tlv_len = sizeof(*tlv) + tlv->len; tlv_len = sizeof(*tlv) + tlv->len;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment