lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Sun, 18 Mar 2007 14:43:46 +0200
From:	Dan Aloni <da-x@...atomic.org>
To:	Linux Kernel List <linux-kernel@...r.kernel.org>
Cc:	netdev@...r.kernel.org
Subject: [PATCH] tcp_sendpage(): fix broken page iteration

do_tcp_sendpages() should not iterate 'pages' as an array since 
it is not an array of 'struct page *', but a pointer to a single 
entity of 'struct page *' passed on the stack as a parameter to 
tcp_send_page() (hence it would crash if poffset + psize > PAGE_SIZE,
because pages[1] and beyond most probably not constitutes a valid 
'struct page *').

Since 'page' points to an array of 'struct page', the obvious fix 
is to iterate that array instead, and that's what the function
should have done in the first place.

Applies to 2.6.21-rc4 and above.


diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 3834b10..4881c8d 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -501,7 +501,7 @@ static inline void tcp_push(struct sock *sk, struct tcp_sock *tp, int flags,
 	}
 }
 
-static ssize_t do_tcp_sendpages(struct sock *sk, struct page **pages, int poffset,
+static ssize_t do_tcp_sendpages(struct sock *sk, struct page *pages, int poffset,
 			 size_t psize, int flags)
 {
 	struct tcp_sock *tp = tcp_sk(sk);
@@ -527,7 +527,7 @@ static ssize_t do_tcp_sendpages(struct sock *sk, struct page **pages, int poffse
 
 	while (psize > 0) {
 		struct sk_buff *skb = sk->sk_write_queue.prev;
-		struct page *page = pages[poffset / PAGE_SIZE];
+		struct page *page = &pages[poffset / PAGE_SIZE];
 		int copy, i, can_coalesce;
 		int offset = poffset % PAGE_SIZE;
 		int size = min_t(size_t, psize, PAGE_SIZE - offset);
@@ -630,7 +630,7 @@ ssize_t tcp_sendpage(struct socket *sock, struct page *page, int offset,
 
 	lock_sock(sk);
 	TCP_CHECK_TIMER(sk);
-	res = do_tcp_sendpages(sk, &page, offset, size, flags);
+	res = do_tcp_sendpages(sk, page, offset, size, flags);
 	TCP_CHECK_TIMER(sk);
 	release_sock(sk);
 	return res;


-- 
Dan Aloni
XIV LTD, http://www.xivstorage.com
da-x (at) monatomic.org, dan (at) xiv.co.il
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists