diff options
| author |   David S. Miller <davem@davemloft.net> | 2017-06-04 23:01:48 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2017-06-04 23:01:48 -0400 |
| commit | a619cc8bedd0df6dfbc389f4c904070be87a0e5c (patch) | |
| tree | 513b8ea0c8bb573013ed3ea31d0734674eee4158 /net/rxrpc/security.c | |
| parent | Merge branch 'bpf-Add-BPF-support-to-all-perf_event' (diff) | |
| parent | virtio_net: check return value of skb_to_sgvec always (diff) | |
| download | wireguard-linux-a619cc8bedd0df6dfbc389f4c904070be87a0e5c.tar.xz wireguard-linux-a619cc8bedd0df6dfbc389f4c904070be87a0e5c.zip | |
Merge branch 'skb-sgvec-overflow'
Jason A. Donenfeld says:
====================
net: Avoiding stack overflow in skb_to_sgvec
The recent bug with macsec and historical one with virtio have
indicated that letting skb_to_sgvec trounce all over an sglist
without checking the length is probably a bad idea. And it's not
necessary either: an sglist already explicitly marks its last
item, and the initialization functions are diligent in doing so.
Thus there's a clear way of avoiding future overflows.
So, this patchset, from a high level, makes skb_to_sgvec return
a potential error code, and then adjusts all callers to check
for the error code. There are two situations in which skb_to_sgvec
might return such an error:
1) When the passed in sglist is too small; and
2) When the passed in skbuff is too deeply nested.
So, the first patch in this series handles the issues with
skb_to_sgvec directly, and the remaining ones then handle the call
sites.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/rxrpc/security.c')
0 files changed, 0 insertions, 0 deletions