diff options
Diffstat (limited to 'website/blog/2020-09-18-containing-a-real-vulnerability.md')
| -rw-r--r-- | website/blog/2020-09-18-containing-a-real-vulnerability.md | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/website/blog/2020-09-18-containing-a-real-vulnerability.md b/website/blog/2020-09-18-containing-a-real-vulnerability.md index c1b06a996..8a6f7bbf1 100644 --- a/website/blog/2020-09-18-containing-a-real-vulnerability.md +++ b/website/blog/2020-09-18-containing-a-real-vulnerability.md @@ -48,7 +48,8 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev, po->tp_reserve; } else { unsigned int maclen = skb_network_offset(skb); - // tp_reserve is unsigned int, netoff is unsigned short. Addition can overflow netoff + // tp_reserve is unsigned int, netoff is unsigned short. + // Addition can overflow netoff netoff = TPACKET_ALIGN(po->tp_hdrlen + (maclen < 16 ? 16 : maclen)) + po->tp_reserve; @@ -56,11 +57,13 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev, netoff += sizeof(struct virtio_net_hdr); do_vnet = true; } - // Attacker controls netoff and can make macoff be smaller than sizeof(struct virtio_net_hdr) + // Attacker controls netoff and can make macoff be smaller + // than sizeof(struct virtio_net_hdr) macoff = netoff - maclen; } // ... - // "macoff - sizeof(struct virtio_net_hdr)" can be negative, resulting in a pointer before h.raw + // "macoff - sizeof(struct virtio_net_hdr)" can be negative, + // resulting in a pointer before h.raw if (do_vnet && virtio_net_hdr_from_skb(skb, h.raw + macoff - sizeof(struct virtio_net_hdr), |