Displaying 1 result from an estimated 1 matches for "dst_clone".
1999 Mar 25
0
(Fwd) DoS for Linux 2.1.89 - 2.2.3: 0 length fragment bug
...ns of all fragments into the new buffer. */
fp = qp->fragments;
count = qp->ihlen;
while(fp) {
if ((fp->len < 0) || ((count + fp->len) > skb->len))
goto out_invalid;
memcpy((ptr + fp->offset), fp->ptr, fp->len);
if (count == qp->ihlen) {
skb->dst = dst_clone(fp->skb->dst);
skb->dev = fp->skb->dev;
}
count += fp->len;
fp = fp->next;
}
The problem in this code is that if you can get a fragment into the
qp->fragments list that has a length of 0, and is the first fragment in the
list, then the call to dst_clone() will hap...