On Mon, Jan 23, 2017 at 3:58 PM, Eric Dumazet <eduma...@google.com> wrote: > This function suffers from multiple issues. > > First one is that pskb_may_pull() may reallocate skb->head, > so the 'raw' pointer needs either to be reloaded or not used at all. > > Second issue is that NEXTHDR_DEST handling does not validate > that the options are present in skb->data, so we might read > garbage or access non existent memory. > > With help from Willem de Bruijn.
Hmm, I've added a bug. Will send a V2, sorry for this.
