I’m already working on a fix for this bug.
This patch leads to a bigger semantic problem as it will send SRv6
packets to the second segment not the first segment (as is does not
exist in the SRH).
Please see my explanation below.
The main issue is the seg6_validate_srh() which is used to val
On 6/1/20 11:51 PM, YueHaibing wrote:
> When update flowi6 daddr in fl6_update_dst() for srcrt, the used index
> of segments should be segments_left minus one per RFC8754
> (section 4.3.1.1) S15 S16. Otherwise it may results in an out-of-bounds
> read.
>
> Reported-by: syzbot+e8c028b62439eac42.
When update flowi6 daddr in fl6_update_dst() for srcrt, the used index
of segments should be segments_left minus one per RFC8754
(section 4.3.1.1) S15 S16. Otherwise it may results in an out-of-bounds
read.
Reported-by: syzbot+e8c028b62439eac42...@syzkaller.appspotmail.com
Fixes: 0cb7498f234e ("se
