diff options
| author | Amerigo Wang <amwang@redhat.com> | 2012-10-09 17:48:16 +0000 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2012-10-21 09:27:59 -0700 |
| commit | c8479435f2191c22871a4b27e7eb2d501f4661e8 (patch) | |
| tree | aca208ae881fd4de8e75d818942e3ecc9164eb59 /net | |
| parent | c4c493a4adcee75e1e44af044d0b7fc1b5192b61 (diff) | |
| download | linux-3.10-c8479435f2191c22871a4b27e7eb2d501f4661e8.tar.gz linux-3.10-c8479435f2191c22871a4b27e7eb2d501f4661e8.tar.bz2 linux-3.10-c8479435f2191c22871a4b27e7eb2d501f4661e8.zip | |
pktgen: fix crash when generating IPv6 packets
commit 5aa8b572007c4bca1e6d3dd4c4820f1ae49d6bb2 upstream.
For IPv6, sizeof(struct ipv6hdr) = 40, thus the following
expression will result negative:
datalen = pkt_dev->cur_pkt_size - 14 -
sizeof(struct ipv6hdr) - sizeof(struct udphdr) -
pkt_dev->pkt_overhead;
And, the check "if (datalen < sizeof(struct pktgen_hdr))" will be
passed as "datalen" is promoted to unsigned, therefore will cause
a crash later.
This is a quick fix by checking if "datalen" is negative. The following
patch will increase the default value of 'min_pkt_size' for IPv6.
This bug should exist for a long time, so Cc -stable too.
Signed-off-by: Cong Wang <amwang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'net')
| -rw-r--r-- | net/core/pktgen.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/core/pktgen.c b/net/core/pktgen.c index b81369b6ddc..8dae76f481e 100644 --- a/net/core/pktgen.c +++ b/net/core/pktgen.c @@ -2932,7 +2932,7 @@ static struct sk_buff *fill_packet_ipv6(struct net_device *odev, sizeof(struct ipv6hdr) - sizeof(struct udphdr) - pkt_dev->pkt_overhead; - if (datalen < sizeof(struct pktgen_hdr)) { + if (datalen < 0 || datalen < sizeof(struct pktgen_hdr)) { datalen = sizeof(struct pktgen_hdr); if (net_ratelimit()) pr_info("increased datalen to %d\n", datalen); |