[Bridge] [PATCH] bridge: mcast snooping, fix length check of snooped MLDv1/2

David Miller davem at davemloft.net
Wed Mar 30 02:30:01 PDT 2011


From: Linus Lüssing <linus.luessing at web.de>
Date: Sun, 27 Mar 2011 08:27:24 +0200

> "len = ntohs(ip6h->payload_len)" does not include the length of the ipv6
> header itself, which the rest of this function assumes, though.
> 
> This leads to a length check less restrictive as it should be in the
> following line for one thing. For another, it very likely leads to an
> integer underrun when substracting the offset and therefore to a very
> high new value of 'len' due to its unsignedness. This will ultimately
> lead to the pskb_trim_rcsum() practically never being called, even in
> the cases where it should.
> 
> Signed-off-by: Linus Lüssing <linus.luessing at web.de>

Applied.


More information about the Bridge mailing list