summaryrefslogtreecommitdiffhomepage
path: root/website
diff options
context:
space:
mode:
Diffstat (limited to 'website')
-rw-r--r--website/blog/2020-09-18-containing-a-real-vulnerability.md9
1 files changed, 6 insertions, 3 deletions
diff --git a/website/blog/2020-09-18-containing-a-real-vulnerability.md b/website/blog/2020-09-18-containing-a-real-vulnerability.md
index c1b06a996..8a6f7bbf1 100644
--- a/website/blog/2020-09-18-containing-a-real-vulnerability.md
+++ b/website/blog/2020-09-18-containing-a-real-vulnerability.md
@@ -48,7 +48,8 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,
po->tp_reserve;
} else {
unsigned int maclen = skb_network_offset(skb);
- // tp_reserve is unsigned int, netoff is unsigned short. Addition can overflow netoff
+ // tp_reserve is unsigned int, netoff is unsigned short.
+ // Addition can overflow netoff
netoff = TPACKET_ALIGN(po->tp_hdrlen +
(maclen < 16 ? 16 : maclen)) +
po->tp_reserve;
@@ -56,11 +57,13 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,
netoff += sizeof(struct virtio_net_hdr);
do_vnet = true;
}
- // Attacker controls netoff and can make macoff be smaller than sizeof(struct virtio_net_hdr)
+ // Attacker controls netoff and can make macoff be smaller
+ // than sizeof(struct virtio_net_hdr)
macoff = netoff - maclen;
}
// ...
- // "macoff - sizeof(struct virtio_net_hdr)" can be negative, resulting in a pointer before h.raw
+ // "macoff - sizeof(struct virtio_net_hdr)" can be negative,
+ // resulting in a pointer before h.raw
if (do_vnet &&
virtio_net_hdr_from_skb(skb, h.raw + macoff -
sizeof(struct virtio_net_hdr),