| Re: [PATCH] Copy mac_len in skb_clone() as well [message #11224 is a reply to message #11195] |
Thu, 15 March 2007 16:04  |
Alexey Kuznetsov
Messages: 18
Registered: February 2006
|
Junior Member |
|
|
Hello!
> What bug triggered that helped you discover this? Or is it
> merely from a code audit?
I asked the same question. :-)
openvz added some another fields to skbuff and when it was found
that they are lost while clone, he tried to figure out how all this works
and looked for another examples of this kind.
As I understand, the problem can be seen only in xfrmX_tunnel_input.
If uninitialized mac_len obtained from slab is more than current head room
it could corrupt memory.
Also, it looks like the fix is incomplete. copy_skb_header() also does not
copy this field. But it will be initialized to 0 by alloc_skb in this case
and xfrmX_tunnel_input() just will not copy mac header.
Alexey
|
|
|
|
OpenVZ Forum
Members
Search
Help
Register
Login
Home
