* [PATCH][MCAST]IPv6: Check packet size when process Multicast Address and Source Specific Query
@ 2005-10-31 5:20 Yan Zheng
2005-10-31 5:27 ` YOSHIFUJI Hideaki / 吉藤英明
2005-10-31 19:42 ` David Stevens
0 siblings, 2 replies; 6+ messages in thread
From: Yan Zheng @ 2005-10-31 5:20 UTC (permalink / raw)
To: netdev; +Cc: linux-kernel, David Stevens
Signed-off-by: Yan Zheng <yanzheng@21cn.com>
Index: net/ipv6/mcast.c
================================================================================
--- linux-2.6.14/net/ipv6/mcast.c 2005-10-30 23:09:33.000000000 +0800
+++ linux/net/ipv6/mcast.c 2005-10-31 13:13:10.000000000 +0800
@@ -1156,7 +1156,12 @@ int igmp6_event_query(struct sk_buff *sk
return 0;
}
/* mark sources to include, if group & source-specific */
- mark = mlh2->nsrcs != 0;
+ if (mlh2->nsrcs != 0) {
+ if (!pskb_may_pull(skb, mlh2->nsrcs * sizeof(struct in6_addr) +
+ (sizeof(struct mld2_query) - sizeof(struct icmp6hdr))))
+ return -EINVAL;
+ mark = 1;
+ }
} else {
in6_dev_put(idev);
return -EINVAL;
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH][MCAST]IPv6: Check packet size when process Multicast Address and Source Specific Query
2005-10-31 5:20 [PATCH][MCAST]IPv6: Check packet size when process Multicast Address and Source Specific Query Yan Zheng
@ 2005-10-31 5:27 ` YOSHIFUJI Hideaki / 吉藤英明
2005-10-31 12:09 ` Yan Zheng
2005-10-31 19:42 ` David Stevens
1 sibling, 1 reply; 6+ messages in thread
From: YOSHIFUJI Hideaki / 吉藤英明 @ 2005-10-31 5:27 UTC (permalink / raw)
To: yanzheng; +Cc: netdev, linux-kernel, dlstevens, yoshfuji
In article <4365A995.3050404@21cn.com> (at Mon, 31 Oct 2005 13:20:21 +0800), Yan Zheng <yanzheng@21cn.com> says:
>
> Signed-off-by: Yan Zheng <yanzheng@21cn.com>
>
> Index: net/ipv6/mcast.c
> ================================================================================
> --- linux-2.6.14/net/ipv6/mcast.c 2005-10-30 23:09:33.000000000 +0800
> +++ linux/net/ipv6/mcast.c 2005-10-31 13:13:10.000000000 +0800
> @@ -1156,7 +1156,12 @@ int igmp6_event_query(struct sk_buff *sk
> return 0;
> }
> /* mark sources to include, if group & source-specific */
> - mark = mlh2->nsrcs != 0;
> + if (mlh2->nsrcs != 0) {
> + if (!pskb_may_pull(skb, mlh2->nsrcs * sizeof(struct in6_addr) +
> + (sizeof(struct mld2_query) - sizeof(struct icmp6hdr))))
> + return -EINVAL;
> + mark = 1;
> + }
> } else {
> in6_dev_put(idev);
> return -EINVAL;
You cannot continue using mlh2, local copy of skb->h.raw
after pskb_may_pull(). Please refresh it.
--yoshfuji
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH][MCAST]IPv6: Check packet size when process Multicast Address and Source Specific Query
2005-10-31 5:27 ` YOSHIFUJI Hideaki / 吉藤英明
@ 2005-10-31 12:09 ` Yan Zheng
2005-10-31 12:15 ` YOSHIFUJI Hideaki / 吉藤英明
0 siblings, 1 reply; 6+ messages in thread
From: Yan Zheng @ 2005-10-31 12:09 UTC (permalink / raw)
To: netdev; +Cc: linux-kernel, yoshfuji
>
> You cannot continue using mlh2, local copy of skb->h.raw
> after pskb_may_pull(). Please refresh it.
>
> --yoshfuji
>
My mistake. sorry.
I hope the new one is correct.
Regards
================================================================================
--- linux-2.6.14/net/ipv6/mcast.c 2005-10-30 23:09:33.000000000 +0800
+++ linux/net/ipv6/mcast.c 2005-10-31 14:16:19.000000000 +0800
@@ -1087,7 +1087,7 @@ static void mld_marksources(struct ifmca
int igmp6_event_query(struct sk_buff *skb)
{
- struct mld2_query *mlh2 = (struct mld2_query *) skb->h.raw;
+ struct mld2_query *mlh2 = NULL;
struct ifmcaddr6 *ma;
struct in6_addr *group;
unsigned long max_delay;
@@ -1140,6 +1140,13 @@ int igmp6_event_query(struct sk_buff *sk
/* clear deleted report items */
mld_clear_delrec(idev);
} else if (len >= 28) {
+ int srcs_offset = sizeof(struct mld2_query) -
+ sizeof(struct icmp6hdr);
+ if (!pskb_may_pull(skb, srcs_offset)) {
+ in6_dev_put(idev);
+ return -EINVAL;
+ }
+ mlh2 = (struct mld2_query *) skb->h.raw;
max_delay = (MLDV2_MRC(ntohs(mlh2->mrc))*HZ)/1000;
if (!max_delay)
max_delay = 1;
@@ -1156,7 +1163,15 @@ int igmp6_event_query(struct sk_buff *sk
return 0;
}
/* mark sources to include, if group & source-specific */
- mark = mlh2->nsrcs != 0;
+ if (mlh2->nsrcs != 0) {
+ if (!pskb_may_pull(skb, srcs_offset +
+ mlh2->nsrcs * sizeof(struct in6_addr))) {
+ in6_dev_put(idev);
+ return -EINVAL;
+ }
+ mlh2 = (struct mld2_query *) skb->h.raw;
+ mark = 1;
+ }
} else {
in6_dev_put(idev);
return -EINVAL;
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH][MCAST]IPv6: Check packet size when process Multicast Address and Source Specific Query
2005-10-31 12:09 ` Yan Zheng
@ 2005-10-31 12:15 ` YOSHIFUJI Hideaki / 吉藤英明
0 siblings, 0 replies; 6+ messages in thread
From: YOSHIFUJI Hideaki / 吉藤英明 @ 2005-10-31 12:15 UTC (permalink / raw)
To: yanzheng, acme; +Cc: netdev, linux-kernel, yoshfuji
In article <43660989.2000100@21cn.com> (at Mon, 31 Oct 2005 20:09:45 +0800), Yan Zheng <yanzheng@21cn.com> says:
> I hope the new one is correct.
looks ok.
Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
--yoshfuji
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH][MCAST]IPv6: Check packet size when process Multicast Address and Source Specific Query
2005-10-31 5:20 [PATCH][MCAST]IPv6: Check packet size when process Multicast Address and Source Specific Query Yan Zheng
2005-10-31 5:27 ` YOSHIFUJI Hideaki / 吉藤英明
@ 2005-10-31 19:42 ` David Stevens
2005-11-01 4:20 ` Yan Zheng
1 sibling, 1 reply; 6+ messages in thread
From: David Stevens @ 2005-10-31 19:42 UTC (permalink / raw)
To: Yan Zheng; +Cc: linux-kernel, netdev
I think this should be modelled after the equivalent code in IGMPv3.
See igmp_heard_query() in net/ipv4/igmp.c. For ease of maintenance,
the code should be structured exactly the same way, except for
necessary differences, of course.
I haven't seen enough context yet, but I think you need to check
for the query header itself, too (as done in IGMPv3).
I'm reviewing your other patches as well.
+-DLS
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH][MCAST]IPv6: Check packet size when process Multicast Address and Source Specific Query
2005-10-31 19:42 ` David Stevens
@ 2005-11-01 4:20 ` Yan Zheng
0 siblings, 0 replies; 6+ messages in thread
From: Yan Zheng @ 2005-11-01 4:20 UTC (permalink / raw)
To: David Stevens; +Cc: Yan Zheng, linux-kernel, netdev
> I think this should be modelled after the equivalent code in IGMPv3.
> See igmp_heard_query() in net/ipv4/igmp.c. For ease of maintenance,
> the code should be structured exactly the same way, except for
> necessary differences, of course.
>
> I haven't seen enough context yet, but I think you need to check
> for the query header itself, too (as done in IGMPv3).
>
> I'm reviewing your other patches as well.
>
> +-DLS
Yes . It's better to drop invalid query earlier.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2005-11-01 4:20 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-10-31 5:20 [PATCH][MCAST]IPv6: Check packet size when process Multicast Address and Source Specific Query Yan Zheng
2005-10-31 5:27 ` YOSHIFUJI Hideaki / 吉藤英明
2005-10-31 12:09 ` Yan Zheng
2005-10-31 12:15 ` YOSHIFUJI Hideaki / 吉藤英明
2005-10-31 19:42 ` David Stevens
2005-11-01 4:20 ` Yan Zheng
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).