ipv6: Fix out-of-bounds access in ipv6_find_tlv()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

optlen is fetched without checking whether there is more than one byte to parse.
It can lead to out-of-bounds access.

Found by InfoTeCS on behalf of Linux Verification Center
(linuxtesting.org) with SVACE.

Fixes: c61a40432509 ("[IPV6]: Find option offset by type.")
Signed-off-by: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
Reviewed-by: Jiri Pirko <jiri@nvidia.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

Gavrilov Ilia and committed by

David S. Miller 3 years ago 878ecb08 ba46c96d

1 changed file

expand all

net

ipv6

exthdrs_core.c

net/ipv6/exthdrs_core.c

··· 143 143 optlen = 1; 144 144 break; 145 145 default: 146 + if (len < 2) 147 + goto bad; 146 148 optlen = nh[offset + 1] + 2; 147 149 if (optlen > len) 148 150 goto bad;

Configure Feed

Configure Feed