diff options
| author |   Jason A. Donenfeld <Jason@zx2c4.com> | 2026-05-05 15:53:22 +0200 |
|---|---|---|
| committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2026-05-05 17:00:15 +0200 |
| commit | 73a50c673a9cd93373b722fad4260d10c8083086 (patch) | |
| tree | e114d6ea906415d5bff956d9f2e586d0cedc9757 /tools/verification/rv/ssh:/git@git.zx2c4.com | |
| parent | net: mana: Fix crash from unvalidated SHM offset read from BAR0 during FLR (diff) | |
With how this is currently written, we add the trailer, zero it out, and
then add the header space on. If that headers pace requires a
reallocation + copy, the zeros in the trailer aren't copied, because the
skb len hasn't actually been yet expanded to cover that. In that case,
the trailer bytes are uninitialized. This winds up getting sent out
encrypted over the network.
I'm unable to actually cause this to happen, except by twiddling locally
with tc-bpf, calling bpf_skb_change_head(skb, 32, 0) in a hook, so it
doesn't seem to be a real problem. Nevertheless, it seems correct to fix
this.
Fixes: e7096c131e51 ("net: WireGuard secure network tunnel")
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Diffstat (limited to 'tools/verification/rv/ssh:/git@git.zx2c4.com')
0 files changed, 0 insertions, 0 deletions