summaryrefslogtreecommitdiff
path: root/net/core
diff options
context:
space:
mode:
authorAmerigo Wang <amwang@redhat.com>2012-10-09 17:48:16 +0000
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2012-10-21 09:32:41 -0700
commitac43c058283e037c5acdee95ada41075e0e2dde5 (patch)
tree0c6993a14f65c11a0f9f7f270441e885bef2f62b /net/core
parenta150793f1f0866effaba2521fdf06130aab60d35 (diff)
downloadkernel-common-ac43c058283e037c5acdee95ada41075e0e2dde5.tar.gz
kernel-common-ac43c058283e037c5acdee95ada41075e0e2dde5.tar.bz2
kernel-common-ac43c058283e037c5acdee95ada41075e0e2dde5.zip
pktgen: fix crash when generating IPv6 packets
commit 5aa8b572007c4bca1e6d3dd4c4820f1ae49d6bb2 upstream. For IPv6, sizeof(struct ipv6hdr) = 40, thus the following expression will result negative: datalen = pkt_dev->cur_pkt_size - 14 - sizeof(struct ipv6hdr) - sizeof(struct udphdr) - pkt_dev->pkt_overhead; And, the check "if (datalen < sizeof(struct pktgen_hdr))" will be passed as "datalen" is promoted to unsigned, therefore will cause a crash later. This is a quick fix by checking if "datalen" is negative. The following patch will increase the default value of 'min_pkt_size' for IPv6. This bug should exist for a long time, so Cc -stable too. Signed-off-by: Cong Wang <amwang@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'net/core')
-rw-r--r--net/core/pktgen.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/net/core/pktgen.c b/net/core/pktgen.c
index 148e73d2c451..e356b8d52bad 100644
--- a/net/core/pktgen.c
+++ b/net/core/pktgen.c
@@ -2927,7 +2927,7 @@ static struct sk_buff *fill_packet_ipv6(struct net_device *odev,
sizeof(struct ipv6hdr) - sizeof(struct udphdr) -
pkt_dev->pkt_overhead;
- if (datalen < sizeof(struct pktgen_hdr)) {
+ if (datalen < 0 || datalen < sizeof(struct pktgen_hdr)) {
datalen = sizeof(struct pktgen_hdr);
net_info_ratelimited("increased datalen to %d\n", datalen);
}