From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Dan Carpenter <dan.carpenter@oracle.com>,
Eric Dumazet <edumazet@google.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.9 05/32] ipv6: pointer math error in ip6_tnl_parse_tlv_enc_lim()
Date: Thu, 16 Feb 2017 09:54:41 -0800 [thread overview]
Message-ID: <20170216175312.667423964@linuxfoundation.org> (raw)
In-Reply-To: <20170216175312.436156263@linuxfoundation.org>
4.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
[ Upstream commit 63117f09c768be05a0bf465911297dc76394f686 ]
Casting is a high precedence operation but "off" and "i" are in terms of
bytes so we need to have some parenthesis here.
Fixes: fbfa743a9d2a ("ipv6: fix ip6_tnl_parse_tlv_enc_lim()")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/ip6_tunnel.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -441,7 +441,7 @@ __u16 ip6_tnl_parse_tlv_enc_lim(struct s
if (i + sizeof(*tel) > optlen)
break;
- tel = (struct ipv6_tlv_tnl_enc_lim *) skb->data + off + i;
+ tel = (struct ipv6_tlv_tnl_enc_lim *)(skb->data + off + i);
/* return index of option if found and valid */
if (tel->type == IPV6_TLV_TNL_ENCAP_LIMIT &&
tel->length == 1)
next prev parent reply other threads:[~2017-02-16 17:55 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-16 17:54 [PATCH 4.9 00/32] 4.9.11-stable review Greg Kroah-Hartman
2017-02-16 17:54 ` [PATCH 4.9 01/32] can: Fix kernel panic at security_sock_rcv_skb Greg Kroah-Hartman
2017-02-16 17:54 ` [PATCH 4.9 02/32] net/mlx5e: Fix update of hash function/key via ethtool Greg Kroah-Hartman
2017-02-16 17:54 ` [PATCH 4.9 03/32] net/sched: matchall: Fix configuration race Greg Kroah-Hartman
2017-02-16 17:54 ` [PATCH 4.9 04/32] ipv6: fix ip6_tnl_parse_tlv_enc_lim() Greg Kroah-Hartman
2017-02-16 17:54 ` Greg Kroah-Hartman [this message]
2017-02-16 17:54 ` [PATCH 4.9 06/32] tcp: fix 0 divide in __tcp_select_window() Greg Kroah-Hartman
2017-02-16 17:54 ` [PATCH 4.9 07/32] stmmac: Discard masked flags in interrupt status register Greg Kroah-Hartman
2017-02-16 17:54 ` [PATCH 4.9 08/32] net: use a work queue to defer net_disable_timestamp() work Greg Kroah-Hartman
2017-02-16 17:54 ` [PATCH 4.9 09/32] ipv4: keep skb->dst around in presence of IP options Greg Kroah-Hartman
2017-02-16 17:54 ` [PATCH 4.9 10/32] netlabel: out of bound access in cipso_v4_validate() Greg Kroah-Hartman
2017-02-16 17:54 ` [PATCH 4.9 11/32] ip6_gre: fix ip6gre_err() invalid reads Greg Kroah-Hartman
2017-02-16 17:54 ` [PATCH 4.9 12/32] ipv6: tcp: add a missing tcp_v6_restore_cb() Greg Kroah-Hartman
2017-02-16 17:54 ` [PATCH 4.9 13/32] tcp: avoid infinite loop in tcp_splice_read() Greg Kroah-Hartman
2017-02-16 17:54 ` [PATCH 4.9 14/32] tun: read vnet_hdr_sz once Greg Kroah-Hartman
2017-02-16 17:54 ` [PATCH 4.9 15/32] macvtap: read vnet_hdr_size once Greg Kroah-Hartman
2017-02-16 17:54 ` [PATCH 4.9 17/32] rtl8150: Use heap buffers for all register access Greg Kroah-Hartman
2017-02-16 17:54 ` [PATCH 4.9 18/32] catc: Combine failure cleanup code in catc_probe() Greg Kroah-Hartman
2017-02-16 17:54 ` [PATCH 4.9 19/32] catc: Use heap buffer for memory size test Greg Kroah-Hartman
2017-02-16 17:54 ` [PATCH 4.9 20/32] mlx4: Invoke softirqs after napi_reschedule Greg Kroah-Hartman
2017-02-16 17:54 ` [PATCH 4.9 21/32] sctp: avoid BUG_ON on sctp_wait_for_sndbuf Greg Kroah-Hartman
2017-02-16 17:54 ` [PATCH 4.9 22/32] lwtunnel: valid encap attr check should return 0 when lwtunnel is disabled Greg Kroah-Hartman
2017-02-16 17:54 ` [PATCH 4.9 23/32] sit: fix a double free on error path Greg Kroah-Hartman
2017-02-16 17:55 ` [PATCH 4.9 24/32] net: introduce device min_header_len Greg Kroah-Hartman
2017-02-16 17:55 ` [PATCH 4.9 25/32] packet: round up linear to header len Greg Kroah-Hartman
2017-02-16 17:55 ` [PATCH 4.9 26/32] ping: fix a null pointer dereference Greg Kroah-Hartman
2017-02-16 17:55 ` [PATCH 4.9 27/32] net: dsa: Do not destroy invalid network devices Greg Kroah-Hartman
2017-02-16 17:55 ` [PATCH 4.9 28/32] l2tp: do not use udp_ioctl() Greg Kroah-Hartman
2017-02-16 17:55 ` [PATCH 4.9 29/32] mld: do not remove mld souce list info when set link down Greg Kroah-Hartman
2017-02-16 17:55 ` [PATCH 4.9 30/32] igmp, mld: Fix memory leak in igmpv3/mld_del_delrec() Greg Kroah-Hartman
2017-02-16 17:55 ` [PATCH 4.9 31/32] tcp: fix mark propagation with fwmark_reflect enabled Greg Kroah-Hartman
2017-02-16 17:55 ` [PATCH 4.9 32/32] net/mlx5: Dont unlock fte while still using it Greg Kroah-Hartman
2017-02-17 10:38 ` [PATCH 4.9 00/32] 4.9.11-stable review Guenter Roeck
2017-02-17 18:12 ` Greg Kroah-Hartman
[not found] ` <58a74eec.cfa8190a.ae52b.6ef7@mx.google.com>
2017-02-17 23:43 ` Greg Kroah-Hartman
2017-02-20 22:36 ` Kevin Hilman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170216175312.667423964@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dan.carpenter@oracle.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).