Commit 2f3bb642 authored by David Lebrun's avatar David Lebrun Committed by David S. Miller
Browse files

ipv6: sr: fix out-of-bounds access in SRH validation 



This patch fixes an out-of-bounds access in seg6_validate_srh() when the
trailing data is less than sizeof(struct sr6_tlv).

Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
Cc: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: default avatarDavid Lebrun <david.lebrun@uclouvain.be>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent c1f8d0f9

net/ipv6/seg6.c

+3 −0
Original line number Diff line number Diff line
@@ -53,6 +53,9 @@ bool seg6_validate_srh(struct ipv6_sr_hdr *srh, int len) 
		struct sr6_tlv *tlv;

		unsigned int tlv_len;



		if (trailing < sizeof(*tlv))

			return false;



		tlv = (struct sr6_tlv *)((unsigned char *)srh + tlv_offset);

		tlv_len = sizeof(*tlv) + tlv->len;

CRA Git | Maintained and supported by SUSTech CRA and CCSE