Commit 06b3db83 authored by Herbert Xu's avatar Herbert Xu Committed by Jialin Zhang
Browse files

ipv6: raw: Deduct extension header length in rawv6_push_pending_frames 

stable inclusion
from stable-v5.10.164
commit 6c9e2c11c33c35563d34d12b343d43b5c12200b5
category: bugfix
bugzilla: 188291, https://gitee.com/src-openeuler/kernel/issues/I6B1V2
CVE: CVE-2023-0394

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=6c9e2c11c33c35563d34d12b343d43b5c12200b5



--------------------------------

commit cb3e9864 upstream.

The total cork length created by ip6_append_data includes extension
headers, so we must exclude them when comparing them against the
IPV6_CHECKSUM offset which does not include extension headers.

Reported-by: default avatarKyle Zeng <zengyhkyle@gmail.com>
Fixes: 357b40a1 ("[IPV6]: IPV6_CHECKSUM socket option can corrupt kernel memory")
Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarLu Wei <luwei32@huawei.com>
Reviewed-by: default avatarLiu Jian <liujian56@huawei.com>
Reviewed-by: default avatarXiu Jianfeng <xiujianfeng@huawei.com>
Signed-off-by: default avatarJialin Zhang <zhangjialin11@huawei.com>
parent 21851e4c
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please to comment