On Mon, Apr 20, 2015 at 03:26:48PM +0800, Herbert Xu wrote: > OK I have reviewed this and indeed it does appear that the bug > can be triggered. The trick appears to be making sure that your > input packet is fragmented. That should then activate the kmalloc > path and lead to the memory corruption.
Yes that matches my testcase, the traffic I mentioned involves DNS replies that are larger than the MTU and are sent as IP fragments. -- Romain Francoise <[email protected]> http://people.debian.org/~rfrancoise/ -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]
