Re: [PATCH] net: check payload length limit for all frames

[P J P]

+-- On Fri, 17 Jul 2020, Jason Wang wrote --+
| Thanks but I don't see a direct relation between 64K limit and this 
| calltrace. Maybe you can elaborate more on this?

The use-after-free is not function of the size per say; The reproducer given 
sends large(>64k) packets via loopback interface with gso_type=none(0). The 
proposed patch helps to fix it. The large size & payload_len may result in 
other oob kind of access issues too I think.

@Alex, would it be possible to share the reproduces on the upstream bug 
LP#1886362?

Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D