Re: [PATCH] Bluetooth: 6lowpan: Fix memory corruption of ipv6 destination address

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Jukka Rissanen <jukka.rissanen@linux.intel.com>
To: Glenn Ruben Bakke <glennrubenbakke@nordicsemi.no>, marcel@holtmann.org
Cc: linux-bluetooth@vger.kernel.org,
	Glenn Ruben Bakke <glenn.ruben.bakke@nordicsemi.no>
Subject: Re: [PATCH] Bluetooth: 6lowpan: Fix memory corruption of ipv6 destination address
Date: Mon, 25 Apr 2016 12:24:42 +0300	[thread overview]
Message-ID: <1461576282.28077.39.camel@linux.intel.com> (raw)
In-Reply-To: <1461341171-2951-1-git-send-email-glennrubenbakke@nordicsemi.no>

Hi Glenn,

nice fix and it makes sense.

Acked-by: Jukka Rissanen <jukka.rissanen@linux.intel.com>


On Fri, 2016-04-22 at 18:06 +0200, Glenn Ruben Bakke wrote:
> The memcpy of ipv6 header destination address to the skb control
> block
> (sbk->cb) in header_create() results in currupted memory when
> bt_xmit()
> is issued. The skb->cb is "released" in the return of header_create()
> making room for lower layer to minipulate the skb->cb.
> 
> The value retrieved in bt_xmit is not persistent across header
> creation
> and sending, and the lower layer will overwrite portions of skb->cb,
> making the copied destination address wrong.
> 
> The memory corruption will lead to non-working multicast as the first
> 4
> bytes of the copied destination address is replaced by a value that
> resolves into a non-multicast prefix.
> 
> The issue has also been observed in kernel 4.5.
> 
> This fix removes the dependency on the skb control block between
> header
> creation and send, by moving the destination address memcpy to the
> send
> function path (setup_create, which is called from bt_xmit).
> 
> Signed-off-by: Glenn Ruben Bakke <glenn.ruben.bakke@nordicsemi.no>
> ---


Cheers,
Jukka

next prev parent reply	other threads:[~2016-04-25  9:24 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-04-22 16:06 [PATCH] Bluetooth: 6lowpan: Fix memory corruption of ipv6 destination address Glenn Ruben Bakke
2016-04-25  9:24 ` Jukka Rissanen [this message]
2016-04-25 23:08 ` Marcel Holtmann

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1461576282.28077.39.camel@linux.intel.com \
    --to=jukka.rissanen@linux.intel.com \
    --cc=glenn.ruben.bakke@nordicsemi.no \
    --cc=glennrubenbakke@nordicsemi.no \
    --cc=linux-bluetooth@vger.kernel.org \
    --cc=marcel@holtmann.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.