From: Michael Nazzareno Trimarchi <michael@amarulasolutions.com>
To: Fabio Estevam <festevam@gmail.com>
Cc: Ramon Fried <rfried.dev@gmail.com>,
Nicolas Bidron <nicolas.bidron@nccgroup.com>,
"u-boot@lists.denx.de" <u-boot@lists.denx.de>,
"joe.hershberger@ni.com" <joe.hershberger@ni.com>,
"trini@konsulko.com" <trini@konsulko.com>
Subject: Re: Vulnerability Disclosure in net/
Date: Thu, 26 May 2022 14:20:39 +0200 [thread overview]
Message-ID: <CAOf5uw=_fdHeJxtUh-hiHzcq3PWH3fFH_GwVD+=E+RBhXbRFNw@mail.gmail.com> (raw)
In-Reply-To: <CAOMZO5B6FvDibpppHghX9c0+R6LUPOF3jU924J-a-feNZpJrrg@mail.gmail.com>
Hi Fabio
On Thu, May 26, 2022 at 2:13 PM Fabio Estevam <festevam@gmail.com> wrote:
>
> Hi Ramon,
>
> On Wed, May 25, 2022 at 11:46 PM Ramon Fried <rfried.dev@gmail.com> wrote:
>
> > Hi Nicolas,
> > Thanks for the research.
> > I have read your description thoroughly, very interesting.
> > I will implement fixes to the findings.
>
> Is it enough to add the check below?
>
> --- a/net/net.c
> +++ b/net/net.c
> @@ -906,6 +906,9 @@ static struct ip_udp_hdr *__net_defragment(struct
> ip_udp_hdr *ip, int *lenp)
> uchar *indata = (uchar *)ip;
> int offset8, start, len, done = 0;
> u16 ip_off = ntohs(ip->ip_off);
> +
> + if (ip->ip_len < 28)
> + return NULL;
>
If you comment on it up or nobody will remember what is 28 tomorrow
Michael
> /* payload starts after IP header, this fragment is in there */
> payload = (struct hole *)(pkt_buff + IP_HDR_SIZE);
--
Michael Nazzareno Trimarchi
Co-Founder & Chief Executive Officer
M. +39 347 913 2170
michael@amarulasolutions.com
__________________________________
Amarula Solutions BV
Joop Geesinkweg 125, 1114 AB, Amsterdam, NL
T. +31 (0)85 111 9172
info@amarulasolutions.com
www.amarulasolutions.com
prev parent reply other threads:[~2022-05-26 12:21 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-18 16:14 Vulnerability Disclosure in net/ Nicolas Bidron
2022-05-26 2:46 ` Ramon Fried
2022-05-26 11:48 ` Matthias Brugger
2022-05-26 12:13 ` Fabio Estevam
2022-05-26 12:20 ` Michael Nazzareno Trimarchi [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAOf5uw=_fdHeJxtUh-hiHzcq3PWH3fFH_GwVD+=E+RBhXbRFNw@mail.gmail.com' \
--to=michael@amarulasolutions.com \
--cc=festevam@gmail.com \
--cc=joe.hershberger@ni.com \
--cc=nicolas.bidron@nccgroup.com \
--cc=rfried.dev@gmail.com \
--cc=trini@konsulko.com \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.