From: Olaf Kirch <okir@suse.de>
To: netfilter-devel@lists.netfilter.org
Cc: netdev@oss.sgi.com
Subject: [PATCH] Kernel oops in ip6t_LOG.c:ip6_nexthdr
Date: Thu, 26 Aug 2004 13:35:39 +0200 [thread overview]
Message-ID: <20040826113538.GE15409@suse.de> (raw)
[-- Attachment #1: Type: text/plain, Size: 864 bytes --]
Hi,
We just ran into a kernel oops after enabling ipv6 packet filtering.
The machine would choke on the IGMPv6 packets sent out when the
interface is taken up. The reason is this code:
/*stupid rfc2402 */
case IPPROTO_DSTOPTS:
case IPPROTO_ROUTING:
case IPPROTO_HOPOPTS:
nexthdr = **hdrptr;
hdrlen = *hdrptr[1] * 8 + 8;
^^^^^^^^^^ it dies here
*hdrptr = *hdrptr + hdrlen;
break;
hdrptr is a u_int8_t **. What you really want to do here is
look at (*hdrptr)[1], but what the expression does is look at
*(hdrptr[1]). Unfortunately, hdrptr[1] is usually random garbage.
The attached patch fixes this.
Olaf
--
Olaf Kirch | The Hardware Gods hate me.
okir@suse.de |
---------------+
[-- Attachment #2: netfilter6-logging --]
[-- Type: text/plain, Size: 869 bytes --]
Prevent oopses when logging IGMPv6 packets and similar.
Index: linux-2.6.5/net/ipv6/netfilter/ip6t_LOG.c
===================================================================
--- linux-2.6.5.orig/net/ipv6/netfilter/ip6t_LOG.c
+++ linux-2.6.5/net/ipv6/netfilter/ip6t_LOG.c
@@ -55,7 +55,7 @@ static u_int8_t ip6_nexthdr(u_int8_t cur
repeatedly...with a large stick...no, an even LARGER
stick...no, you're still not thinking big enough */
nexthdr = **hdrptr;
- hdrlen = *hdrptr[1] * 4 + 8;
+ hdrlen = (*hdrptr)[1] * 4 + 8;
*hdrptr = *hdrptr + hdrlen;
break;
/*stupid rfc2402 */
@@ -63,7 +63,7 @@ static u_int8_t ip6_nexthdr(u_int8_t cur
case IPPROTO_ROUTING:
case IPPROTO_HOPOPTS:
nexthdr = **hdrptr;
- hdrlen = *hdrptr[1] * 8 + 8;
+ hdrlen = (*hdrptr)[1] * 8 + 8;
*hdrptr = *hdrptr + hdrlen;
break;
case IPPROTO_FRAGMENT:
next reply other threads:[~2004-08-26 11:35 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-08-26 11:35 Olaf Kirch [this message]
2004-08-26 11:56 ` [PATCH] Kernel oops in ip6t_LOG.c:ip6_nexthdr YOSHIFUJI Hideaki / 吉藤英明
2004-08-26 21:10 ` David S. Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20040826113538.GE15409@suse.de \
--to=okir@suse.de \
--cc=netdev@oss.sgi.com \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).