From: Eric Dumazet <[email protected]> Date: Fri, 19 May 2017 14:17:48 -0700
> From: Eric Dumazet <[email protected]> > > Andrey Konovalov and [email protected] reported crashes caused by > one skb shared_info being overwritten from __ip6_append_data() > > Andrey program lead to following state : > > copy -4200 datalen 2000 fraglen 2040 > maxfraglen 2040 alloclen 2048 transhdrlen 0 offset 0 fraggap 6200 > > The skb_copy_and_csum_bits(skb_prev, maxfraglen, data + transhdrlen, > fraggap, 0); is overwriting skb->head and skb_shared_info > > Since we apparently detect this rare condition too late, move the > code earlier to even avoid allocating skb and risking crashes. > > Once again, many thanks to Andrey and syzkaller team. > > Signed-off-by: Eric Dumazet <[email protected]> > Reported-by: Andrey Konovalov <[email protected]> > Tested-by: Andrey Konovalov <[email protected]> > Reported-by: <[email protected]> Looks good, applied and queued up for -stable. Thanks Eric.
