diff options
| author | Weiming Shi <bestswngs@gmail.com> | 2026-04-16 18:01:51 +0800 |
|---|---|---|
| committer | Paolo Abeni <pabeni@redhat.com> | 2026-04-21 10:18:18 +0200 |
| commit | 4c1367a2d7aad643a6f87c6931b13cc1a25e8ca7 (patch) | |
| tree | 921b34ef7ffece807645d3e0de5967bf9f6ab5ed /include/linux | |
| parent | e76607442d5b73e1ba6768f501ef815bb58c2c0e (diff) | |
slip: bound decode() reads against the compressed packet length
slhc_uncompress() parses a VJ-compressed TCP header by advancing a
pointer through the packet via decode() and pull16(). Neither helper
bounds-checks against isize, and decode() masks its return with
& 0xffff so it can never return the -1 that callers test for -- those
error paths are dead code.
A short compressed frame whose change byte requests optional fields
lets decode() read past the end of the packet. The over-read bytes
are folded into the cached cstate and reflected into subsequent
reconstructed packets.
Make decode() and pull16() take the packet end pointer and return -1
when exhausted. Add a bounds check before the TCP-checksum read.
The existing == -1 tests now do what they were always meant to.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Simon Horman <horms@kernel.org>
Closes: https://lore.kernel.org/netdev/20260414134126.758795-2-horms@kernel.org/
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260416100147.531855-5-bestswngs@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Diffstat (limited to 'include/linux')
0 files changed, 0 insertions, 0 deletions