On Mon, 2016-03-28 at 19:54 -0400, David Miller wrote: > From: Eric Dumazet <eric.dumazet@xxxxxxxxx> > Date: Mon, 28 Mar 2016 13:51:46 -0700 > > > On Mon, 2016-03-28 at 13:46 -0700, Eric Dumazet wrote: > > > >> We have at least 384 bytes of padding in skb->head (this is struct > >> skb_shared_info). > >> > >> Whatever garbage we might read, current code is fine. > >> > >> We have to deal with a false positive here. > > > > Very similar to the one fixed in > > https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=10ec9472f05b45c94db3c854d22581a20b97db41 > > I don't see them as similar. > > The current options code we are talking about here never references > past legitimate parts of the packet data. We always check 'length', > and we never access past the boundary it describes. > > This was the entire point of my posting. > > Talking about padding, rather than the logical correctness of the > code, is therefore a distraction I think :-) Not really, we do read one out of bound byte David. length = 1; ... while (length > 0) { int opcode = *ptr++; // Note that length is still 1 switch (opcode) { ... default: opsize = *ptr++; // Note that length is still 1 ... length -= opsize; } So we do read 2 bytes, while length was 1. opsize definitely can read garbage. Call it padding or redzone or whatever ;) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
