lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:	Thu, 10 Apr 2008 01:31:55 -0700 (PDT)
From:	David Miller <davem@...emloft.net>
To:	akpm@...ux-foundation.org
Cc:	M.Piechaczek@...osys.tv, bugme-daemon@...zilla.kernel.org,
	netdev@...r.kernel.org
Subject: Re: [Bugme-new] [Bug 10371] New: On big-endian machines getsockopt
 returns 0 (via optval) for optlen==1 when returned value should 255

From: Andrew Morton <akpm@...ux-foundation.org>
Date: Mon, 31 Mar 2008 11:33:49 -0700

> On Mon, 31 Mar 2008 08:16:05 -0700 (PDT) bugme-daemon@...zilla.kernel.org wrote:
> 
> > http://bugzilla.kernel.org/show_bug.cgi?id=10371
 ...
> You've done all the hard work - please email us a tested patch?

I've checked in the following fix for this bug, thanks!

commit 951e07c930f5f66b676eaa4c32a1b0d8e2d7d06a
Author: David S. Miller <davem@...emloft.net>
Date:   Thu Apr 10 01:29:36 2008 -0700

    [IPV4]: Fix byte value boundary check in do_ip_getsockopt().
    
    This fixes kernel bugzilla 10371.
    
    As reported by M.Piechaczek@...osys.tv, if we try to grab a
    char sized socket option value, as in:
    
      unsigned char ttl = 255;
      socklen_t     len = sizeof(ttl);
      setsockopt(socket, IPPROTO_IP, IP_MULTICAST_TTL, &ttl, &len);
    
      getsockopt(socket, IPPROTO_IP, IP_MULTICAST_TTL, &ttl, &len);
    
    The ttl returned will be wrong on big-endian, and on both little-
    endian and big-endian the next three bytes in userspace are written
    with garbage.
    
    It's because of this test in do_ip_getsockopt():
    
    	if (len < sizeof(int) && len > 0 && val>=0 && val<255) {
    
    It should allow a 'val' of 255 to pass here, but it doesn't so it
    copies a full 'int' back to userspace.
    
    On little-endian that will write the correct value into the location
    but it spams on the next three bytes in userspace.  On big endian it
    writes the wrong value into the location and spams the next three
    bytes.
    
    Signed-off-by: David S. Miller <davem@...emloft.net>

diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index f72457b..c2921d0 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -1132,7 +1132,7 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname,
 	}
 	release_sock(sk);
 
-	if (len < sizeof(int) && len > 0 && val>=0 && val<255) {
+	if (len < sizeof(int) && len > 0 && val>=0 && val<=255) {
 		unsigned char ucval = (unsigned char)val;
 		len = 1;
 		if (put_user(len, optlen))
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists