On Mon, 2016-03-28 at 23:11 +0200, Jozsef Kadlecsik wrote: > In net/netfilter/nf_conntrack_proto_tcp.c we copy the options into a > buffer with skb_header_pointer(), so it's not a false positive there and > the KASAN report referred to that part. > Although the out of bound could be one extra byte, if skb_header_bpointer() had to copy something (since it also might return a pointer inside skb->head) No arch would possibly fault here. So reading one byte on the stack is fooling KASAN, but no ill effect would actually happen. If the read byte is < 2, the function would return because of if (opsize < 2) return; If the read byte is >= 2, the function would return because of if (opsize > length) return; /* don't parse partial options */ (Since we care here of the case where length == 1) No big deal, it is probably better to 'fix' the code so that it pleases dynamic checkers. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
