diff options
author | Ian Lewis <ianlewis@google.com> | 2020-10-13 18:58:01 -0700 |
---|---|---|
committer | gVisor bot <gvisor-bot@google.com> | 2020-10-13 18:59:45 -0700 |
commit | 631dd5330d438729a7a8f6e00b279386924de640 (patch) | |
tree | 8961b5d7fcf1c58bb83d8c1c6617875daa542c3a /website/blog/2020-09-18-containing-a-real-vulnerability.md | |
parent | 7eeeff4268384a7aa87ab5aa6d57ac89711bcbff (diff) |
Various website fixes
- Formatting on the most recent blog post
- Add a link to faq from containerd docs
- Fix code in FAQ
PiperOrigin-RevId: 337001738
Diffstat (limited to 'website/blog/2020-09-18-containing-a-real-vulnerability.md')
-rw-r--r-- | website/blog/2020-09-18-containing-a-real-vulnerability.md | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/website/blog/2020-09-18-containing-a-real-vulnerability.md b/website/blog/2020-09-18-containing-a-real-vulnerability.md index c1b06a996..8a6f7bbf1 100644 --- a/website/blog/2020-09-18-containing-a-real-vulnerability.md +++ b/website/blog/2020-09-18-containing-a-real-vulnerability.md @@ -48,7 +48,8 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev, po->tp_reserve; } else { unsigned int maclen = skb_network_offset(skb); - // tp_reserve is unsigned int, netoff is unsigned short. Addition can overflow netoff + // tp_reserve is unsigned int, netoff is unsigned short. + // Addition can overflow netoff netoff = TPACKET_ALIGN(po->tp_hdrlen + (maclen < 16 ? 16 : maclen)) + po->tp_reserve; @@ -56,11 +57,13 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev, netoff += sizeof(struct virtio_net_hdr); do_vnet = true; } - // Attacker controls netoff and can make macoff be smaller than sizeof(struct virtio_net_hdr) + // Attacker controls netoff and can make macoff be smaller + // than sizeof(struct virtio_net_hdr) macoff = netoff - maclen; } // ... - // "macoff - sizeof(struct virtio_net_hdr)" can be negative, resulting in a pointer before h.raw + // "macoff - sizeof(struct virtio_net_hdr)" can be negative, + // resulting in a pointer before h.raw if (do_vnet && virtio_net_hdr_from_skb(skb, h.raw + macoff - sizeof(struct virtio_net_hdr), |