mirror of
https://github.com/torvalds/linux.git
synced 2024-11-26 06:02:05 +00:00
acf69c9462
Using tp_reserve to calculate netoff can overflow as
tp_reserve is unsigned int and netoff is unsigned short.
This may lead to macoff receving a smaller value then
sizeof(struct virtio_net_hdr), and if po->has_vnet_hdr
is set, an out-of-bounds write will occur when
calling virtio_net_hdr_from_skb.
The bug is fixed by converting netoff to unsigned int
and checking if it exceeds USHRT_MAX.
This addresses CVE-2020-14386
Fixes:
|
||
---|---|---|
.. | ||
af_packet.c | ||
diag.c | ||
internal.h | ||
Kconfig | ||
Makefile |