mirror of https://github.com/torvalds/linux.git
a482c5e00a
In rt_mt6(), when it's a nonlinear skb, the 1st skb_header_pointer()
only copies sizeof(struct ipv6_rt_hdr) to _route that rh points to.
The access by ((const struct rt0_hdr *)rh)->reserved will overflow
the buffer. So this access should be moved below the 2nd call to
skb_header_pointer().
Besides, after the 2nd skb_header_pointer(), its return value should
also be checked, othersize, *rp may cause null-pointer-ref.
v1->v2:
- clean up some old debugging log.
Fixes:
|
||
|---|---|---|
| .. | ||
| Kconfig | ||
| Makefile | ||
| ip6_tables.c | ||
| ip6t_NPT.c | ||
| ip6t_REJECT.c | ||
| ip6t_SYNPROXY.c | ||
| ip6t_ah.c | ||
| ip6t_eui64.c | ||
| ip6t_frag.c | ||
| ip6t_hbh.c | ||
| ip6t_ipv6header.c | ||
| ip6t_mh.c | ||
| ip6t_rpfilter.c | ||
| ip6t_rt.c | ||
| ip6t_srh.c | ||
| ip6table_filter.c | ||
| ip6table_mangle.c | ||
| ip6table_nat.c | ||
| ip6table_raw.c | ||
| ip6table_security.c | ||
| nf_conntrack_reasm.c | ||
| nf_defrag_ipv6_hooks.c | ||
| nf_dup_ipv6.c | ||
| nf_flow_table_ipv6.c | ||
| nf_reject_ipv6.c | ||
| nf_socket_ipv6.c | ||
| nf_tproxy_ipv6.c | ||
| nft_dup_ipv6.c | ||
| nft_fib_ipv6.c | ||
| nft_reject_ipv6.c | ||