--- /dev/null
+From kaber@trash.net Sun Jul 17 21:52:56 2005
+Date: Mon, 18 Jul 2005 06:52:50 +0200
+From: Patrick McHardy <kaber@trash.net>
+To: Chris Wright <chrisw@osdl.org>
+CC: stable@kernel.org
+Subject: [PATCH] [NET]: Fix signedness issues in net/core/filter.c
+
+This is the code to load packet data into a register:
+
+ k = fentry->k;
+ if (k < 0) {
+...
+ } else {
+ u32 _tmp, *p;
+ p = skb_header_pointer(skb, k, 4, &_tmp);
+ if (p != NULL) {
+ A = ntohl(*p);
+ continue;
+ }
+ }
+
+skb_header_pointer checks if the requested data is within the
+linear area:
+
+ int hlen = skb_headlen(skb);
+
+ if (offset + len <= hlen)
+ return skb->data + offset;
+
+When offset is within [INT_MAX-len+1..INT_MAX] the addition will
+result in a negative number which is <= hlen.
+
+I couldn't trigger a crash on my AMD64 with 2GB of memory, but a
+coworker tried on his x86 machine and it crashed immediately.
+
+This patch fixes the check in skb_header_pointer to handle large
+positive offsets similar to skb_copy_bits. Invalid data can still
+be accessed using negative offsets (also similar to skb_copy_bits),
+anyone using negative offsets needs to verify them himself.
+
+Thanks to Thomas Vögtle <thomas.voegtle@coreworks.de> for verifying the
+problem by crashing his machine and providing me with an Oops.
+
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Chris Wright <chrisw@osdl.org>
+---
+
+ include/linux/skbuff.h | 2 +-
+ 1 files changed, 1 insertion(+), 1 deletion(-)
+
+Index: linux-2.6.12.y/include/linux/skbuff.h
+===================================================================
+--- linux-2.6.12.y.orig/include/linux/skbuff.h
++++ linux-2.6.12.y/include/linux/skbuff.h
+@@ -1192,7 +1192,7 @@ static inline void *skb_header_pointer(c
+ {
+ int hlen = skb_headlen(skb);
+
+- if (offset + len <= hlen)
++ if (hlen - offset >= len)
+ return skb->data + offset;
+
+ if (skb_copy_bits(skb, offset, buffer, len) < 0)
projects / thirdparty / kernel / stable-queue.git / commitdiff
