lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 8 Apr 2008 10:39:17 -0700 From: Andrew Morton <akpm@...ux-foundation.org> To: thomas.pollet@...il.com Cc: bugme-daemon@...zilla.kernel.org, netdev@...r.kernel.org Subject: Re: [Bugme-new] [Bug 10423] New: af_rose sendmsg length check (switched to email. Please respond via emailed reply-to-all, not via the bugzilla web interface). On Tue, 8 Apr 2008 06:48:27 -0700 (PDT) bugme-daemon@...zilla.kernel.org wrote: > http://bugzilla.kernel.org/show_bug.cgi?id=10423 > > Summary: af_rose sendmsg length check > Product: Networking > Version: 2.5 > KernelVersion: 2.6.24.4 > Platform: All > OS/Version: Linux > Tree: Mainline > Status: NEW > Severity: normal > Priority: P1 > Component: Other > AssignedTo: acme@...stprotocols.net > ReportedBy: thomas.pollet@...il.com > > > Hi, > > the code from rose_sendmsg in sys/net/af_rose.c doesn't check the value of len. > suppose len is very big (0xfffffff8 for example) then "size" would overflow. > > size = len + AX25_BPQ_HEADER_LEN + AX25_MAX_HEADER_LEN + ROSE_MIN_LEN; > > resulting in a buffer that's too small. > > if ((skb = sock_alloc_send_skb(sk, size, msg->msg_flags & MSG_DONTWAIT, &err)) > == NULL) > return err; > > the buffer is filled here: > > 1115 skb_put(skb, len); > 1116 > 1117 err = memcpy_fromiovec(skb_transport_header(skb), msg->msg_iov, > len); > > It might be that it doesn't need to check. We check that the total length didn't overflow negative in sys_sendmsg()'s call to verify_iovec(). Of course, the addition which you identify might make a very large length overflow 0x7fffffff, and subsequent code might handle that incorrectly. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists