On Mon, Apr 20, 2015 at 09:17:22AM +0200, Romain Francoise wrote: > > For example, here's a photo I took of the crash on 3.18.4: > > https://orebokech.com/tmp/IMG_20150129_181653.jpg
OK I have reviewed this and indeed it does appear that the bug can be triggered. The trick appears to be making sure that your input packet is fragmented. That should then activate the kmalloc path and lead to the memory corruption. Thanks, -- Email: Herbert Xu <herb...@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
