Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

net/ipv6: ioam6: prevent schema length wraparound in trace fill

ioam6_fill_trace_data() stores the schema contribution to the trace
length in a u8. With bit 22 enabled and the largest schema payload,
sclen becomes 1 + 1020 / 4, wraps from 256 to 0, and bypasses the
remaining-space check. __ioam6_fill_trace_data() then positions the
write cursor without reserving the schema area but still copies the
4-byte schema header and the full schema payload, overrunning the trace
buffer.

Keep sclen in an unsigned int so the remaining-space check and the write
cursor calculation both see the full schema length.

Fixes: 8c6f6fa67726 ("ipv6: ioam: IOAM Generic Netlink API")
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
Reviewed-by: Justin Iurman <justin.iurman@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

Pengpeng Hou and committed by
David S. Miller
5e67ba9b ae05340c

+2 -2
+2 -2
net/ipv6/ioam6.c
··· 708 708 struct ioam6_namespace *ns, 709 709 struct ioam6_trace_hdr *trace, 710 710 struct ioam6_schema *sc, 711 - u8 sclen, bool is_input) 711 + unsigned int sclen, bool is_input) 712 712 { 713 713 struct net_device *dev = skb_dst_dev(skb); 714 714 struct timespec64 ts; ··· 939 939 bool is_input) 940 940 { 941 941 struct ioam6_schema *sc; 942 - u8 sclen = 0; 942 + unsigned int sclen = 0; 943 943 944 944 /* Skip if Overflow flag is set 945 945 */