From: patchwork-bot+netdevbpf@kernel.org
To: Yucheng Lu <kanolyc@gmail.com>
Cc: security@kernel.org, stephen@networkplumber.org,
netdev@vger.kernel.org, jhs@mojatatu.com, jiri@resnulli.us,
davem@davemloft.net, Jason@zx2c4.com, kees@kernel.org,
yifanwucs@gmail.com, tomapufckgml@gmail.com,
tanyuan98@outlook.com, bird@lzu.edu.cn, z1652074432@gmail.com
Subject: Re: [PATCH RESEND net v2 1/1] net/sched: sch_netem: fix out-of-bounds access in packet corruption
Date: Thu, 02 Apr 2026 03:00:09 +0000 [thread overview]
Message-ID: <177509880929.3966658.1444595257739812877.git-patchwork-notify@kernel.org> (raw)
In-Reply-To: <45435c0935df877853a81e6d06205ac738ec65fa.1774941614.git.kanolyc@gmail.com>
Hello:
This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:
On Tue, 31 Mar 2026 16:00:21 +0800 you wrote:
> In netem_enqueue(), the packet corruption logic uses
> get_random_u32_below(skb_headlen(skb)) to select an index for
> modifying skb->data. When an AF_PACKET TX_RING sends fully non-linear
> packets over an IPIP tunnel, skb_headlen(skb) evaluates to 0.
>
> Passing 0 to get_random_u32_below() takes the variable-ceil slow path
> which returns an unconstrained 32-bit random integer. Using this
> unconstrained value as an offset into skb->data results in an
> out-of-bounds memory access.
>
> [...]
Here is the summary with links:
- [RESEND,net,v2,1/1] net/sched: sch_netem: fix out-of-bounds access in packet corruption
https://git.kernel.org/netdev/net/c/d64cb81dcbd5
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
prev parent reply other threads:[~2026-04-02 3:00 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <cover.1773323637.git.kanolyc@gmail.com>
2026-03-31 8:00 ` [PATCH RESEND net v2 1/1] net/sched: sch_netem: fix out-of-bounds access in packet corruption Yucheng Lu
2026-04-01 14:46 ` Stephen Hemminger
2026-04-02 3:00 ` patchwork-bot+netdevbpf [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=177509880929.3966658.1444595257739812877.git-patchwork-notify@kernel.org \
--to=patchwork-bot+netdevbpf@kernel.org \
--cc=Jason@zx2c4.com \
--cc=bird@lzu.edu.cn \
--cc=davem@davemloft.net \
--cc=jhs@mojatatu.com \
--cc=jiri@resnulli.us \
--cc=kanolyc@gmail.com \
--cc=kees@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=security@kernel.org \
--cc=stephen@networkplumber.org \
--cc=tanyuan98@outlook.com \
--cc=tomapufckgml@gmail.com \
--cc=yifanwucs@gmail.com \
--cc=z1652074432@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox