Hi Glenn, > The memcpy of ipv6 header destination address to the skb control block > (sbk->cb) in header_create() results in currupted memory when bt_xmit() > is issued. The skb->cb is "released" in the return of header_create() > making room for lower layer to minipulate the skb->cb. > > The value retrieved in bt_xmit is not persistent across header creation > and sending, and the lower layer will overwrite portions of skb->cb, > making the copied destination address wrong. > > The memory corruption will lead to non-working multicast as the first 4 > bytes of the copied destination address is replaced by a value that > resolves into a non-multicast prefix. > > The issue has also been observed in kernel 4.5. > > This fix removes the dependency on the skb control block between header > creation and send, by moving the destination address memcpy to the send > function path (setup_create, which is called from bt_xmit). > > Signed-off-by: Glenn Ruben Bakke <glenn.ruben.bakke@xxxxxxxxxxxxx> > --- > net/bluetooth/6lowpan.c | 11 ++++------- > 1 file changed, 4 insertions(+), 7 deletions(-) patch has been applied to bluetooth-next tree. Regards Marcel -- To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
