lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:	Mon, 31 Mar 2008 08:45:22 -0700
From:	Stephen Hemminger <shemminger@...ux-foundation.org>
To:	netdev@...r.kernel.org
Subject: Fw: [Bug 10371] New: On big-endian machines getsockopt returns 0
 (via optval) for optlen==1 when returned value should 255



Begin forwarded message:

Date: Mon, 31 Mar 2008 08:16:05 -0700 (PDT)
From: bugme-daemon@...zilla.kernel.org
To: shemminger@...ux-foundation.org
Subject: [Bug 10371] New: On big-endian machines getsockopt returns 0 (via optval) for optlen==1 when returned value should 255


http://bugzilla.kernel.org/show_bug.cgi?id=10371

           Summary: On big-endian machines getsockopt returns 0 (via optval)
                    for optlen==1 when returned value should 255
           Product: Networking
           Version: 2.5
     KernelVersion: 2.6.24
          Platform: All
        OS/Version: Linux
              Tree: Mainline
            Status: NEW
          Severity: normal
          Priority: P1
         Component: IPV4
        AssignedTo: shemminger@...ux-foundation.org
        ReportedBy: M.Piechaczek@...osys.tv


Latest working kernel version: 
Earliest failing kernel version: all 2.6
Distribution: 
Hardware Environment: 
Software Environment: 
Problem Description: 

On big-endian machines getsockopt fails for optlen==1 when returned value is
255.
Eg. after calling
  unsigned char ttl = 255;
  socklen_t     len = sizeof(ttl);
  setsockopt(socket, IPPROTO_IP, IP_MULTICAST_TTL, &ttl, &len);
the following call will fail:
  getsockopt(socket, IPPROTO_IP, IP_MULTICAST_TTL, &ttl, &len);
"ttl" returned will be 0.


It's because of bug in /net/ipv4/ip_sockglue.c:

 static int do_ip_getsockopt(struct sock *sk, int level, int optname,
                            char __user *optval, int __user *optlen) 
 ....
        if (len < sizeof(int) && len > 0 && val>=0 && val<255) {
                unsigned char ucval = (unsigned char)val;
                len = 1;
                if (put_user(len, optlen))
                        return -EFAULT;
                if (copy_to_user(optval,&ucval,1))
                        return -EFAULT;
        } else {
                len = min_t(unsigned int, sizeof(int), len);
                if (put_user(len, optlen))
                        return -EFAULT;
                if (copy_to_user(optval,&val,len))
                        return -EFAULT;
        }
        return 0;
} 

The comparision in if-statement should be:
        if (len < sizeof(int) && len > 0 && val>=0 && val<=255)

Otherwise on big-endian machines copy_to_user(optval,&val,len) routine copies
first (highest) byte which is 0 in that case.


This bug does not occur on low-endian machines since
copy_to_user(optval,&val,len) copies right (lowest) byte in that case.


-- 
Configure bugmail: http://bugzilla.kernel.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ