Headline
CVE-2011-4326: ipv6: udp: fix the wrong headroom check · torvalds/linux@a9cf73e
The udp6_ufo_fragment function in net/ipv6/udp.c in the Linux kernel before 2.6.39, when a certain UDP Fragmentation Offload (UFO) configuration is enabled, allows remote attackers to cause a denial of service (system crash) by sending fragmented IPv6 UDP packets to a bridge device.
Permalink
Browse files
ipv6: udp: fix the wrong headroom check
At this point, skb->data points to skb_transport_header. So, headroom check is wrong.
For some case:bridge(UFO is on) + eth device(UFO is off), there is no enough headroom for IPv6 frag head. But headroom check is always false.
This will bring about data be moved to there prior to skb->head, when adding IPv6 frag header to skb.
Signed-off-by: Shan Wei [email protected] Acked-by: Herbert Xu [email protected] Signed-off-by: David S. Miller [email protected]
- Loading branch information