Willem de Bruijn 4576cd469d packet: refine ring v3 block size test to hold one frame ... TPACKET_V3 stores variable length frames in fixed length blocks. Blocks must be able to store a block header, optional private space and at least one minimum sized frame. Frames, even for a zero snaplen packet, store metadata headers and optional reserved space. In the block size bounds check, ensure that the frame of the chosen configuration fits. This includes sockaddr_ll and optional tp_reserve. Syzbot was able to construct a ring with insuffient room for the sockaddr_ll in the header of a zero-length frame, triggering an out-of-bounds write in dev_parse_header. Convert the comparison to less than, as zero is a valid snap len. This matches the test for minimum tp_frame_size immediately below. Fixes: f6fb8f100b ("af-packet: TPACKET_V3 flexible buffer implementation.") Fixes: eb73190f4f ("net/packet: refine check for priv area size") Reported-by: syzbot <syzkaller@googlegroups.com> Signed-off-by: Willem de Bruijn <willemb@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>		2018-08-06 13:48:33 -07:00
..
af_packet.c	packet: refine ring v3 block size test to hold one frame	2018-08-06 13:48:33 -07:00
diag.c	packet: pdiag_put_ring() should return TX_RING info for TPACKET_V3	2017-01-10 21:02:42 -05:00
internal.h	packet: fix bitfield update race	2018-04-24 13:17:08 -04:00
Kconfig	packet: Diag core and basic socket info dumping	2012-08-14 16:56:33 -07:00
Makefile	packet: Diag core and basic socket info dumping	2012-08-14 16:56:33 -07:00