On Fri, 2018-03-02 at 11:53 +0100, Lorenzo Bianconi wrote: > Fix the following slab-out-of-bounds kasan report in > ndisc_fill_redirect_hdr_option when the incoming ipv6 packet is not > linear and the accessed data are not in the linear data region of orig_skb >
> Reported-by: Jianlin Shi <ji...@redhat.com> > Reviewed-by: Stefano Brivio <sbri...@redhat.com> > Signed-off-by: Lorenzo Bianconi <lorenzo.bianc...@redhat.com> > --- > net/ipv6/ndisc.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c > index 0a19ce3a6f7f..afd8c15827cd 100644 > --- a/net/ipv6/ndisc.c > +++ b/net/ipv6/ndisc.c > @@ -1554,7 +1554,8 @@ static void ndisc_fill_redirect_hdr_option(struct > sk_buff *skb, > *(opt++) = (rd_len >> 3); > opt += 6; > > - memcpy(opt, ipv6_hdr(orig_skb), rd_len - 8); > + skb_copy_bits(orig_skb, skb_network_offset(orig_skb), opt, > + rd_len - 8); > } Wow, nice catch ! Reviewed-by: Eric Dumazet <eduma...@google.com>