From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Miller Subject: Re: [PATCH net] xfrm6: avoid potential infinite loop in _decode_session6() Date: Sun, 13 May 2018 20:23:49 -0400 (EDT) Message-ID: <20180513.202349.1985276646648462963.davem@davemloft.net> References: <20180512094930.77801-1-edumazet@google.com> Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: netdev@vger.kernel.org, eric.dumazet@gmail.com, steffen.klassert@secunet.com, nicolas.dichtel@6wind.com To: edumazet@google.com Return-path: Received: from shards.monkeyblade.net ([184.105.139.130]:51476 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750929AbeENAXv (ORCPT ); Sun, 13 May 2018 20:23:51 -0400 In-Reply-To: <20180512094930.77801-1-edumazet@google.com> Sender: netdev-owner@vger.kernel.org List-ID: From: Eric Dumazet Date: Sat, 12 May 2018 02:49:30 -0700 > syzbot found a way to trigger an infinitie loop by overflowing > @offset variable that has been forced to use u16 for some very > obscure reason in the past. > > We probably want to look at NEXTHDR_FRAGMENT handling which looks > wrong, in a separate patch. > > In net-next, we shall try to use skb_header_pointer() instead of > pskb_may_pull(). ... > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") > Signed-off-by: Eric Dumazet > Cc: Steffen Klassert > Cc: Nicolas Dichtel > Reported-by: syzbot+0053c8...@syzkaller.appspotmail.com Steffen, I am assuming you will pick this up. Thank you.