ipv6: raw: Deduct extension header length in rawv6_push_pending_frames
Origin: https://git.kernel.org/linus/
cb3e9864cdbe35ff6378966660edbcbac955fe17
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-0394
The total cork length created by ip6_append_data includes extension
headers, so we must exclude them when comparing them against the
IPV6_CHECKSUM offset which does not include extension headers.
Reported-by: Kyle Zeng <zengyhkyle@gmail.com>
Fixes: 357b40a18b04 ("[IPV6]: IPV6_CHECKSUM socket option can corrupt kernel memory")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Gbp-Pq: Topic bugfix/all
Gbp-Pq: Name ipv6-raw-Deduct-extension-header-length-in-rawv6_pus.patch
projects / linux.git / commit