On Sun, Jan 06, 2008 at 11:22:04AM +1100, Herbert Xu wrote: > Actually if you read the code for ip_fast_csum it's obvious what has > happened. %o1 == iph->ihl contains the value 2 which is bogus. > > [IPV4] raw: Strengthen check on validity of iph->ihl > > We currently check that iph->ihl is bounded by the real length and that > the real length is greater than the minimum IP header length. However, > we did not check the caes where iph->ihl is less than the minimum IP > header length. > > This breaks because some ip_fast_csum implementations assume that which > is quite reasonable. Humm... Point, but that makes me wonder what other callers do... E.g. what about ipt_REJECT.c::send_reset()? Or myri10ge_get_frag_header()? - To unsubscribe from this list: send the line "unsubscribe sparclinux" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
