[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
(usagi-users 00087) Re: [usagi-announce] 2001/01/22 snapshot
In article <200101220553.f0M5r3s49225@xxxxxxxxxxxxxxxxxxxx> (at Sun, 21 Jan 2001 21:53:03 -0800 (PST)), Elliott Mitchell <ehem@xxxxxxx> says:
> > 2001/01/10 yoshfuji
> > * net/ipv6/exthdrs.c: ensure not to overrun while parsing tlv
> > options.
>
> How severe was this? Might this be vulnerable to attack?
If ipv6 packet has hob-by-hop / destination option and
the option does not fit in the extension header, kernel
might panic:
Extension header:
+-------------------------------------------------+
|nxthdr|extlen| tlv options ..... |
+-------------------------------------------------+
^p ^p+((extlen+1)<<3)
TLV option:
+---------------------------------------+
|type|optlen|optdata .... ///|
+---------------------------------------+
^q ^q+(optlen+2)
I had not experienced this panic, but the code was logically wrong;
so I fixed it.
--
Hideaki YOSHIFUJI @ USAGI Project <yoshfuji@xxxxxxxxxxxxxx>
PGP5i FP: F731 6599 5EB2 BBA7 1515 1323 1806 A96F 5700 6B25