[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

(usagi-users 02523) Bug in ipv6_skip_exthdr?


I found bug in ipv6_skip_exthdr of STABLE Release 4.1.

Following code in ipv6_skip_exthdr(ipv6/exthdrs.c)
'hdr' cast to 'struct frag_hdr' and read 'frag_off',
But 'hdr' is 2 bytes, so I think it couldn't get valid frag_off data.

Fragment Reassembly(Payload size=65536) in TAHI Test sometimes FAIL by this bug.

    struct ipv6_opt_hdr hdr;
    if (nexthdr == NEXTHDR_FRAGMENT) {
        struct frag_hdr *fhdr = (struct frag_hdr *) &hdr;
        if (ntohs(fhdr->frag_off) & ~0x7)
        hdrlen = 8;
    } else if (nexthdr == NEXTHDR_AUTH)

Sorry, I don't know how to fix this.