Skip to content
Commit 04a6b8bf authored by Mathias Krause's avatar Mathias Krause Committed by Steffen Klassert
Browse files

xfrm6: Fix ICMPv6 and MH header checks in _decode_session6 



Ensure there's enough data left prior calling pskb_may_pull(). If
skb->data was already advanced, we'll call pskb_may_pull() with a
negative value converted to unsigned int -- leading to a huge
positive value. That won't matter in practice as pskb_may_pull()
will likely fail in this case, but it leads to underflow reports on
kernels handling such kind of over-/underflows, e.g. a PaX enabled
kernel instrumented with the size_overflow plugin.

Reported-by: default avatarsatmd <satmd@lain.at>
Reported-and-tested-by: default avatarMarcin Jurkowski <marcin1j@gmail.com>
Signed-off-by: default avatarMathias Krause <mathias.krause@secunet.com>
Cc: PaX Team <pageexec@freemail.hu>
Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
parent 93efac3f
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment