From: Eric Dumazet <eric.duma...@gmail.com> Date: Fri, 19 May 2017 14:17:48 -0700
> From: Eric Dumazet <eduma...@google.com> > > Andrey Konovalov and idaif...@gmail.com reported crashes caused by > one skb shared_info being overwritten from __ip6_append_data() > > Andrey program lead to following state : > > copy -4200 datalen 2000 fraglen 2040 > maxfraglen 2040 alloclen 2048 transhdrlen 0 offset 0 fraggap 6200 > > The skb_copy_and_csum_bits(skb_prev, maxfraglen, data + transhdrlen, > fraggap, 0); is overwriting skb->head and skb_shared_info > > Since we apparently detect this rare condition too late, move the > code earlier to even avoid allocating skb and risking crashes. > > Once again, many thanks to Andrey and syzkaller team. > > Signed-off-by: Eric Dumazet <eduma...@google.com> > Reported-by: Andrey Konovalov <andreyk...@google.com> > Tested-by: Andrey Konovalov <andreyk...@google.com> > Reported-by: <idaif...@gmail.com> Looks good, applied and queued up for -stable. Thanks Eric.
