From: Willem de Bruijn <willemdebruijn.ker...@gmail.com> Date: Mon, 23 Jul 2018 19:36:48 -0400
> From: Willem de Bruijn <will...@google.com> > > Syzbot reported a read beyond the end of the skb head when returning > IPV6_ORIGDSTADDR: ... > This logic and its ipv4 counterpart read the destination port from > the packet at skb_transport_offset(skb) + 4. > > With MSG_MORE and a local SOCK_RAW sender, syzbot was able to cook a > packet that stores headers exactly up to skb_transport_offset(skb) in > the head and the remainder in a frag. > > Call pskb_may_pull before accessing the pointer to ensure that it lies > in skb head. > > Link: > http://lkml.kernel.org/r/CAF=yd-lejwzj5a1-baaj2oy_hkmgygv6rsj_woraynv-fna...@mail.gmail.com > Reported-by: syzbot+9adb4b567003cac78...@syzkaller.appspotmail.com > Signed-off-by: Willem de Bruijn <will...@google.com> Applied and queued up for -stable, thanks!
