Re: [PATCH] net: check payload length limit for all frames

[Li Qiang]

P J P <ppandit@redhat.com> 于2020年7月17日周五 下午5:09写道：
>
> +-- On Fri, 17 Jul 2020, Jason Wang wrote --+
> | Thanks but I don't see a direct relation between 64K limit and this
> | calltrace. Maybe you can elaborate more on this?
>
> The use-after-free is not function of the size per say; The reproducer given
> sends large(>64k) packets via loopback interface with gso_type=none(0). The
> proposed patch helps to fix it. The large size & payload_len may result in
> other oob kind of access issues too I think.
>
> @Alex, would it be possible to share the reproduces on the upstream bug
> LP#1886362?

The reproducer of LP#1886362 is here:
--> https://bugs.launchpad.net/qemu/+bug/1886362

Maybe you mean the reproducer of your patch?
If you or Alex could share it, I'm glad to analysis this issue.

Thanks,
Li Qiang

>
> Thank you.
> --
> Prasad J Pandit / Red Hat Product Security Team
> 8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D
>