ipv6: Fix out-of-bounds access in ipv6_find_tlv()
authorGavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
Tue, 23 May 2023 08:29:44 +0000 (08:29 +0000)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Tue, 30 May 2023 13:03:21 +0000 (14:03 +0100)
commit91dd8aab9c9f193210681b86b6b92840ffe74f0c
treec471f73bd09282628de27259a46ab30ff5de58b9
parent9bc1dbfd9158c53b11c458559381998c04e8c240
ipv6: Fix out-of-bounds access in ipv6_find_tlv()

commit 878ecb0897f4737a4c9401f3523fd49589025671 upstream.

optlen is fetched without checking whether there is more than one byte to parse.
It can lead to out-of-bounds access.

Found by InfoTeCS on behalf of Linux Verification Center
(linuxtesting.org) with SVACE.

Fixes: c61a40432509 ("[IPV6]: Find option offset by type.")
Signed-off-by: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
Reviewed-by: Jiri Pirko <jiri@nvidia.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
net/ipv6/exthdrs_core.c