From: Willem de Bruijn <[email protected]> Date: Mon, 7 Jan 2019 16:47:33 -0500
> From: Willem de Bruijn <[email protected]> > > Commit 2efd4fca703a ("ip: in cmsg IP(V6)_ORIGDSTADDR call > pskb_may_pull") avoided a read beyond the end of the skb linear > segment by calling pskb_may_pull. > > That function can trigger a BUG_ON in pskb_expand_head if the skb is > shared, which it is when when peeking. It can also return ENOMEM. > > Avoid both by switching to safer skb_header_pointer. > > Fixes: 2efd4fca703a ("ip: in cmsg IP(V6)_ORIGDSTADDR call pskb_may_pull") > Reported-by: syzbot <[email protected]> > Suggested-by: Eric Dumazet <[email protected]> > Signed-off-by: Willem de Bruijn <[email protected]> Applied and queued up for -stable.
