dccp: Add check for truncated ICMPv6 DCCP error packets

Previous thread: dccp: Add check for sequence number in ICMPv6 message by Linux Kernel Mailing List on Monday, July 28, 2008 - 10:00 am. (1 message)

Next thread: dccp: Fix incorrect length check for ICMPv4 packets by Linux Kernel Mailing List on Monday, July 28, 2008 - 10:00 am. (1 message)

[view original message]

From: Linux Kernel Mailing List

Subject: dccp: Add check for truncated ICMPv6 DCCP error packets

Date: Monday, July 28, 2008 - 10:00 am

Gitweb:     http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=860239...
Commit:     860239c56bbc7c830bdbcec93b140f22a5a5219b
Parent:     18e1d836002ad970f42736bad09b7be9cfe99545
Author:     Wei Yongjun &lt;yjwei@cn.fujitsu.com&gt;
AuthorDate: Sat Jul 26 11:59:11 2008 +0100
Committer:  Gerrit Renker &lt;gerrit@erg.abdn.ac.uk&gt;
CommitDate: Sat Jul 26 11:59:11 2008 +0100

    dccp: Add check for truncated ICMPv6 DCCP error packets
    
    This patch adds a minimum-length check for ICMPv6 packets, as per the previous
    patch for ICMPv4 payloads.
    
    Signed-off-by: Wei Yongjun &lt;yjwei@cn.fujitsu.com&gt;
    Signed-off-by: Gerrit Renker &lt;gerrit@erg.abdn.ac.uk&gt;
---
 net/dccp/ipv6.c |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
index 25826b1..5e1ee0d 100644
--- a/net/dccp/ipv6.c
+++ b/net/dccp/ipv6.c
@@ -96,6 +96,12 @@ static void dccp_v6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
 	__u64 seq;
 	struct net *net = dev_net(skb-&gt;dev);
 
+	if (skb-&gt;len &lt; offset + sizeof(*dh) ||
+	    skb-&gt;len &lt; offset + __dccp_basic_hdr_len(dh)) {
+		ICMP6_INC_STATS_BH(__in6_dev_get(skb-&gt;dev), ICMP6_MIB_INERRORS);
+		return;
+	}
+
 	sk = inet6_lookup(net, &amp;dccp_hashinfo,
 			&amp;hdr-&gt;daddr, dh-&gt;dccph_dport,
 			&amp;hdr-&gt;saddr, dh-&gt;dccph_sport, inet6_iif(skb));
--

[ message continues ]


linux-kernel:
Paul Turner	[tg_shares_up rewrite v2 11/11] sched: update tg->shares after cpu.shares write
Ingo Molnar	Re: [RFC] Cpu-hotplug: Using the Process Freezer (try2)
Michal Nazarewicz	Re: [PATCH] USB: Gadget: g_multi: added INF file for gadget with multiple configur...
Eric W. Biederman	Re: init's children list is long and slows reaping children.
Jeffrey V. Merkey	Re: Versioning file system
git:
Matthieu Moy	Re: Bugs in Gitosis
Daniel Barkalow	Re: About git and the use of SHA-1
David Lang	Re: mingw, windows, crlf/lf, and git
Shawn O. Pearce	Re: Bugs in Gitosis
Junio C Hamano	Re: [PATCH 14/21] Convert ce_path_match() to use struct pathspec
linux-netdev:
David Miller	Re: [2.6.30-rc3] powerpc: compilation error of mace module
David Miller	Re: [PATCH] ipv6: fix display of local and remote sit endpoints
Cong Wang	Re: [PATCH] s2io: add dynamic LRO disable support
Tobacco New Year Promo
Eric Dumazet	Re: [PATCH] net: implement emergency route cache rebulds when gc_elasticity is exc...
git-commits-head:
Linux Kernel Mailing List	V4L/DVB: tm6000: add special usb request to quit i2c tuner transfer
Linux Kernel Mailing List	of/flattree: merge early_init_dt_scan_memory() common code
Linux Kernel Mailing List	b43: N-PHY: add some registers and structs definitions
Linux Kernel Mailing List	powerpc: Move /proc/ppc64 to /proc/powerpc and add symlink
Linux Kernel Mailing List	drivers/acpi: use kasprintf
openbsd-misc:
Ted Bullock	Re: Proliant DL380 G3 cannot get on network
Eric Furman	Re: Defending OpenBSD Performance
Damien Miller	Re: Patching a SSH 'Weakness'
Tony Abernethy	Re: The Atheros story in much fewer words
Nick Holland	Re: 1 out of 3 hunks failed--saving rejects to kerberosV/src/lib/krb5/crypto.c.rej