lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 18 Mar 2007 14:43:46 +0200 From: Dan Aloni <da-x@...atomic.org> To: Linux Kernel List <linux-kernel@...r.kernel.org> Cc: netdev@...r.kernel.org Subject: [PATCH] tcp_sendpage(): fix broken page iteration do_tcp_sendpages() should not iterate 'pages' as an array since it is not an array of 'struct page *', but a pointer to a single entity of 'struct page *' passed on the stack as a parameter to tcp_send_page() (hence it would crash if poffset + psize > PAGE_SIZE, because pages[1] and beyond most probably not constitutes a valid 'struct page *'). Since 'page' points to an array of 'struct page', the obvious fix is to iterate that array instead, and that's what the function should have done in the first place. Applies to 2.6.21-rc4 and above. diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c index 3834b10..4881c8d 100644 --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c @@ -501,7 +501,7 @@ static inline void tcp_push(struct sock *sk, struct tcp_sock *tp, int flags, } } -static ssize_t do_tcp_sendpages(struct sock *sk, struct page **pages, int poffset, +static ssize_t do_tcp_sendpages(struct sock *sk, struct page *pages, int poffset, size_t psize, int flags) { struct tcp_sock *tp = tcp_sk(sk); @@ -527,7 +527,7 @@ static ssize_t do_tcp_sendpages(struct sock *sk, struct page **pages, int poffse while (psize > 0) { struct sk_buff *skb = sk->sk_write_queue.prev; - struct page *page = pages[poffset / PAGE_SIZE]; + struct page *page = &pages[poffset / PAGE_SIZE]; int copy, i, can_coalesce; int offset = poffset % PAGE_SIZE; int size = min_t(size_t, psize, PAGE_SIZE - offset); @@ -630,7 +630,7 @@ ssize_t tcp_sendpage(struct socket *sock, struct page *page, int offset, lock_sock(sk); TCP_CHECK_TIMER(sk); - res = do_tcp_sendpages(sk, &page, offset, size, flags); + res = do_tcp_sendpages(sk, page, offset, size, flags); TCP_CHECK_TIMER(sk); release_sock(sk); return res; -- Dan Aloni XIV LTD, http://www.xivstorage.com da-x (at) monatomic.org, dan (at) xiv.co.il - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists