On Sat, Nov 4, 2017 at 1:31 AM, Dan Carpenter <dan.carpenter@xxxxxxxxxx> wrote:
> Hello Eric Dumazet,
>
> The patch 3f27fb23219e: "ipv6: addrconf: add per netns perturbation
> in inet6_addr_hash()" from Oct 23, 2017, leads to the following
> static checker warning:
>
> net/core/pktgen.c:2169 pktgen_setup_inject()
> error: buffer overflow 'pkt_dev->cur_in6_saddr.in6_u.u6_addr8' 16 <= 255
>
> net/core/pktgen.c
> 2157 if (pkt_dev->flags & F_IPV6) {
> 2158 int i, set = 0, err = 1;
> 2159 struct inet6_dev *idev;
> 2160
> 2161 if (pkt_dev->min_pkt_size == 0) {
> 2162 pkt_dev->min_pkt_size = 14 + sizeof(struct ipv6hdr)
> 2163 + sizeof(struct udphdr)
> 2164 + sizeof(struct pktgen_hdr)
> 2165 + pkt_dev->pkt_overhead;
> 2166 }
> 2167
> 2168 for (i = 0; i < IN6_ADDR_HSIZE; i++)
> ^^^^^^^^^^^^^^
> My guess is that this is the wrong test here, but I don't know for sure.
>
> 2169 if (pkt_dev->cur_in6_saddr.s6_addr[i]) {
> ^^^^^^^^^^
> This used to work but now that IN6_ADDR_HSIZE is 256 instead of 16 we're
> reading beyond the end of the array.
>
> 2170 set = 1;
> 2171 break;
> 2172 }
> 2173
> 2174 if (!set) {
> 2175
> 2176 /*
> 2177 * Use linklevel address if unconfigured.
> 2178 *
> 2179 * use ipv6_get_lladdr if/when it's get exported
> 2180 */
> 2181
>
> regards,
> dan carpenter
pktgen is obviously wrong.
Thanks for the report.
--
To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
