ipv6: sr: fix out-of-bounds access in SRH validation

This patch fixes an out-of-bounds access in seg6_validate_srh() when the trailing data is less than sizeof(struct sr6_tlv). Reported-by: N Andrey Konovalov <andreyknvl@google.com> Cc: Andrey Konovalov <andreyknvl@google.com> Signed-off-by: N David Lebrun <david.lebrun@uclouvain.be> Signed-off-by: N David S. Miller <davem@davemloft.net>

ipv6: sr: fix out-of-bounds access in SRH validation
This patch fixes an out-of-bounds access in seg6_validate_srh() when the trailing data is less than sizeof(struct sr6_tlv). Reported-by: N Andrey Konovalov <andreyknvl@google.com> Cc: Andrey Konovalov <andreyknvl@google.com> Signed-off-by: N David Lebrun <david.lebrun@uclouvain.be> Signed-off-by: N David S. Miller <davem@davemloft.net>
2f3bb642 · David Lebrun · David S. Miller · c1f8d0f9 · 2f3bb642
隐藏空白更改
内联并排

Showing with 3 addition and 0 deletion

net/ipv6/seg6.c net/ipv6/seg6.c +3 -0

未找到文件。
--- a/net/ipv6/seg6.c
+++ b/net/ipv6/seg6.c
@@ -53,6 +53,9 @@ bool seg6_validate_srh(struct ipv6_sr_hdr *srh, int len)
 		struct sr6_tlv *tlv;
 		unsigned int tlv_len;
+		if (trailing < sizeof(*tlv))
+			return false;
 		tlv = (struct sr6_tlv *)((unsigned char *)srh + tlv_offset);
 		tlv_len = sizeof(*tlv) + tlv->len;