[PATCH] Cipso: cipso_v4_optptr enter infinite loop
yujuan.qi
yujuan.qi at mediatek.com
Tue Aug 1 01:54:04 PDT 2017
Hi
On Mon, 2017-07-31 at 16:13 -0400, Paul Moore wrote:
> On Sun, Jul 30, 2017 at 11:23 PM, Yujuan Qi <yujuan.qi at mediatek.com> wrote:
> > From: "yujuan.qi" <yujuan.qi at mediatek.com>
> >
> > in for(),if((optlen > 0) && (optptr[1] == 0)), enter infinite loop.
> >
> > Test: receive a packet which the ip length > 20 and t he first byte of ip option is 0, produce this issue
> >
> > Signed-off-by: yujuan.qi <yujuan.qi at mediatek.com>
> > ---
> > net/ipv4/cipso_ipv4.c | 12 ++++++++++--
> > 1 file changed, 10 insertions(+), 2 deletions(-)
>
> Considering I gave you the code below I should probably ack it, right? ;)
>
> Acked-by: Paul Moore <paul at paul-moore.com>
Yes! Thanks for your suggestions!
> > diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
> > index ae20616..0d1e07d 100644
> > --- a/net/ipv4/cipso_ipv4.c
> > +++ b/net/ipv4/cipso_ipv4.c
> > @@ -1523,9 +1523,17 @@ unsigned char *cipso_v4_optptr(const struct sk_buff *skb)
> > int taglen;
> >
> > for (optlen = iph->ihl*4 - sizeof(struct iphdr); optlen > 0; ) {
> > - if (optptr[0] == IPOPT_CIPSO)
> > + switch (optptr[0]) {
> > + case IPOPT_CIPSO:
> > return optptr;
> > - taglen = optptr[1];
> > + case IPOPT_END:
> > + return NULL;
> > + case IPOPT_NOOP:
> > + taglen = 1;
> > + break;
> > + default:
> > + taglen = optptr[1];
> > + }
> > optlen -= taglen;
> > optptr += taglen;
> > }
>
More information about the Linux-mediatek
mailing list