| commit | ba93cf7d2118774c0b2dcfccc8ae999427815caa | |
| author | Eric Dumazet <edumazet@google.com> | |
| Thu, 3 Nov 2016 02:00:40 +0000 (2 19:00 -0700) | ||
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
| Mon, 21 Nov 2016 09:11:35 +0000 (21 10:11 +0100) | ||
| tree | 3ae3a37859a0214d729c7be20efcf36fab48f093 | treesnapshot (tar.gz zip) |
| parent | 378a611013748171f37aef165148bb75fbce85e2 | commitdiff |
dccp: fix out of bound access in dccp_v4_err()
[ Upstream commit 6706a97fec963d6cb3f7fc2978ec1427b4651214 ]
dccp_v4_err() does not use pskb_may_pull() and might access garbage.
We only need 4 bytes at the beginning of the DCCP header, like TCP,
so the 8 bytes pulled in icmp_socket_deliver() are more than enough.
This patch might allow to process more ICMP messages, as some routers
are still limiting the size of reflected bytes to 28 (RFC 792), instead
of extended lengths (RFC 1812 4.3.2.3)
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 6706a97fec963d6cb3f7fc2978ec1427b4651214 ]
dccp_v4_err() does not use pskb_may_pull() and might access garbage.
We only need 4 bytes at the beginning of the DCCP header, like TCP,
so the 8 bytes pulled in icmp_socket_deliver() are more than enough.
This patch might allow to process more ICMP messages, as some routers
are still limiting the size of reflected bytes to 28 (RFC 792), instead
of extended lengths (RFC 1812 4.3.2.3)
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| net/dccp/ipv4.c | diffblobblamehistory |