superrob1500
/
mirror-linux
mirror of https://github.com/torvalds/linux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
mirror-linux/net
History
Yucheng Lu d64cb81dcb net/sched: sch_netem: fix out-of-bounds access in packet corruption 
In netem_enqueue(), the packet corruption logic uses
get_random_u32_below(skb_headlen(skb)) to select an index for
modifying skb->data. When an AF_PACKET TX_RING sends fully non-linear
packets over an IPIP tunnel, skb_headlen(skb) evaluates to 0.

Passing 0 to get_random_u32_below() takes the variable-ceil slow path
which returns an unconstrained 32-bit random integer. Using this
unconstrained value as an offset into skb->data results in an
out-of-bounds memory access.

Fix this by verifying skb_headlen(skb) is non-zero before attempting
to corrupt the linear data area. Fully non-linear packets will silently
bypass the corruption logic.

Fixes: c865e5d99e ("[PKT_SCHED] netem: packet corruption option")
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Signed-off-by: Yuan Tan <tanyuan98@outlook.com>
Signed-off-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Yuhang Zheng <z1652074432@gmail.com>
Signed-off-by: Yucheng Lu <kanolyc@gmail.com>
Reviewed-by: Stephen Hemminger <stephen@networkplumber.org>
Link: https://patch.msgid.link/45435c0935df877853a81e6d06205ac738ec65fa.1774941614.git.kanolyc@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
 		2026-04-01 19:24:20 -07:00
..
6lowpan
9p Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
802 Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
8021q Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
appletalk Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
atm atm: lec: fix use-after-free in sock_def_readable() 2026-03-14 08:05:47 -07:00
ax25 Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
batman-adv Here is a batman-adv bugfix: 2026-03-18 17:41:00 -07:00
bluetooth Bluetooth: hci_sync: fix stack buffer overflow in hci_le_big_create_sync 2026-04-01 16:48:28 -04:00
bpf Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
bridge bridge: mrp: reject zero test interval to avoid OOM panic 2026-03-31 16:11:24 +02:00
caif Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
can can: isotp: fix tx.buf use-after-free in isotp_sendmsg() 2026-03-19 17:16:02 +01:00
ceph libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply() 2026-03-11 10:18:56 +01:00
core net: use skb_header_pointer() for TCPv4 GSO frag_off check 2026-03-30 17:35:21 -07:00
dcb Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
devlink Convert 'alloc_flex' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
dns_resolver
dsa Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
ethernet bonding: prevent potential infinite loop in bond_header_parse() 2026-03-16 19:29:45 -07:00
ethtool Convert more 'alloc_obj' cases to default GFP_KERNEL arguments 2026-02-21 20:03:00 -08:00
handshake treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
hsr Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
ieee802154 Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
ife
ipv4 ipsec-2026-03-23 2026-03-24 15:16:28 +01:00
ipv6 ipv6: fix data race in fib6_metric_set() using cmpxchg 2026-04-01 17:44:35 -07:00
iucv Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
kcm kcm: fix zero-frag skb in frag_list on partial sendmsg error 2026-02-23 17:26:55 -08:00
key ipsec-2026-03-23 2026-03-24 15:16:28 +01:00
l2tp Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
l3mdev
lapb treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
llc treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
mac80211 wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure 2026-03-18 09:09:58 +01:00
mac802154 bonding: prevent potential infinite loop in bond_header_parse() 2026-03-16 19:29:45 -07:00
mctp mctp: route: hold key->lock in mctp_flow_prepare_output() 2026-03-10 11:38:36 +01:00
mpls mpls: add seqcount to protect the platform_label{,s} pair 2026-03-26 18:32:14 -07:00
mptcp mptcp: fix soft lockup in mptcp_recvmsg() 2026-03-31 18:58:37 -07:00
ncsi net: ncsi: fix skb leak in error paths 2026-03-06 17:34:48 -08:00
netfilter netfilter: nf_tables: reject immediate NF_QUEUE verdict 2026-04-01 11:55:30 +02:00
netlabel Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
netlink Convert more 'alloc_obj' cases to default GFP_KERNEL arguments 2026-02-21 20:03:00 -08:00
netrom Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
nfc nfc: nci: fix circular locking dependency in nci_close_device 2026-03-19 16:56:18 -07:00
nsh
openvswitch openvswitch: validate MPLS set/set_masked payload length 2026-03-20 18:37:31 -07:00
packet net: fix fanout UAF in packet_release() via NETDEV_UP race 2026-03-23 17:07:19 -07:00
phonet bonding: prevent potential infinite loop in bond_header_parse() 2026-03-16 19:29:45 -07:00
psample treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
psp Including fixes from IPsec, Bluetooth and netfilter 2026-02-26 08:00:13 -08:00
qrtr net: qrtr: replace qrtr_tx_flow radix_tree with xarray to fix memory leak 2026-03-26 20:22:38 -07:00
rds rds: ib: reject FRMR registration before IB connection is established 2026-04-01 17:52:40 -07:00
rfkill Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
rose net/rose: fix NULL pointer dereference in rose_transmit_link on reconnect 2026-03-12 19:23:59 -07:00
rxrpc rxrpc, afs: Fix missing error pointer check after rxrpc_kernel_lookup_peer() 2026-03-06 17:49:52 -08:00
sched net/sched: sch_netem: fix out-of-bounds access in packet corruption 2026-04-01 19:24:20 -07:00
sctp Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
shaper net: shaper: protect from late creation of hierarchy 2026-03-19 13:47:15 +01:00
smc net/smc: fix double-free of smc_spd_priv when tee() duplicates splice pipe buffer 2026-03-20 18:59:30 -07:00
strparser
sunrpc nfsd-7.0 fixes: 2026-03-18 14:27:11 -07:00
switchdev treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
tipc tipc: fix divide-by-zero in tipc_sk_filter_connect() 2026-03-11 18:56:28 -07:00
tls tls: Purge async_hold in tls_decrypt_async_wait() 2026-03-26 09:55:53 +01:00
unix af_unix: Give up GC if MSG_PEEK intervened. 2026-03-12 13:37:18 -07:00
vmw_vsock Including fixes from IPsec, Bluetooth and netfilter 2026-02-26 08:00:13 -08:00
wireless wifi: cfg80211: cancel pmsr_free_wk in cfg80211_pmsr_wdev_down 2026-03-06 12:41:59 +01:00
x25 treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
xdp xsk: Fix zero-copy AF_XDP fragment drop 2026-02-28 08:55:11 -08:00
xfrm ipsec-2026-03-23 2026-03-24 15:16:28 +01:00
Kconfig
Kconfig.debug
Makefile
compat.c socket: Unify getsockname and getpeername implementation 2025-11-26 13:45:23 -07:00
devres.c
socket.c net: Drop the lock in skb_may_tx_timestamp() 2026-02-24 11:27:29 +01:00
sysctl_net.c