mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-09-27 04:47:05 +00:00
ipv6: Fix out-of-bounds access in ipv6_find_tlv()
commit878ecb0897
upstream. optlen is fetched without checking whether there is more than one byte to parse. It can lead to out-of-bounds access. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with SVACE. Fixes:c61a404325
("[IPV6]: Find option offset by type.") Signed-off-by: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru> Reviewed-by: Jiri Pirko <jiri@nvidia.com> Reviewed-by: David Ahern <dsahern@kernel.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
parent
82501f1ead
commit
59e656d0d4
1 changed files with 2 additions and 0 deletions
|
@ -142,6 +142,8 @@ int ipv6_find_tlv(const struct sk_buff *skb, int offset, int type)
|
|||
optlen = 1;
|
||||
break;
|
||||
default:
|
||||
if (len < 2)
|
||||
goto bad;
|
||||
optlen = nh[offset + 1] + 2;
|
||||
if (optlen > len)
|
||||
goto bad;
|
||||
|
|
Loading…
Reference in a new issue