[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

(usagi-users 00087) Re: [usagi-announce] 2001/01/22 snapshot



In article <200101220553.f0M5r3s49225@xxxxxxxxxxxxxxxxxxxx> (at Sun, 21 Jan 2001 21:53:03 -0800 (PST)), Elliott Mitchell <ehem@xxxxxxx> says:

> > 2001/01/10	yoshfuji
> > 	* net/ipv6/exthdrs.c: ensure not to overrun while parsing tlv
> > 	options.
> 
> How severe was this? Might this be vulnerable to attack?

If ipv6 packet has hob-by-hop / destination option and 
the option does not fit in the extension header, kernel 
might panic:

Extension header:
  +-------------------------------------------------+
  |nxthdr|extlen| tlv options .....                 |
  +-------------------------------------------------+
  ^p                                                ^p+((extlen+1)<<3)

TLV option:
                +---------------------------------------+
                |type|optlen|optdata ....            ///|
                +---------------------------------------+
                ^q                                      ^q+(optlen+2)

I had not experienced this panic, but the code was logically wrong; 
so I fixed it.

-- 
Hideaki YOSHIFUJI @ USAGI Project  <yoshfuji@xxxxxxxxxxxxxx>
PGP5i FP: F731 6599 5EB2 BBA7 1515  1323 1806 A96F 5700 6B25