lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 26 Aug 2008 08:59:13 +0800 From: Eugene Teo <eteo@...hat.com> To: Vlad Yasevich <vladislav.yasevich@...com> CC: davem@...emloft.net, netdev@...r.kernel.org, linux-sctp@...r.kernel.org, security@...nel.org Subject: Re: [PATCH] sctp: add verification checks to SCTP_AUTH_KEY option Vlad Yasevich wrote: > The structure used for SCTP_AUTH_KEY option contains a > length that needs to be verfied to prevent buffer overflow > conditions. Spoted by Eugene Teo <eteo@...hat.com>. > > Signed-off-by: Vlad Yasevich <vladislav.yasevich@...com> > --- > net/sctp/auth.c | 4 ++++ > net/sctp/socket.c | 5 +++++ > 2 files changed, 9 insertions(+), 0 deletions(-) > > diff --git a/net/sctp/auth.c b/net/sctp/auth.c > index 675a5c3..1fcb4cf 100644 > --- a/net/sctp/auth.c > +++ b/net/sctp/auth.c > @@ -80,6 +80,10 @@ static struct sctp_auth_bytes *sctp_auth_create_key(__u32 key_len, gfp_t gfp) This should be __u16 key_len. > { > struct sctp_auth_bytes *key; > > + /* Verify that we are not going to overflow INT_MAX */ > + if ((INT_MAX - key_len) < sizeof(struct sctp_auth_bytes)) > + return NULL; Shouldn't this be UINT_MAX? But then if you are going to change sctp_auth_create_key() to accept __u16 key_len, then it should be USHORT_MAX. > /* Allocate the shared key */ > key = kmalloc(sizeof(struct sctp_auth_bytes) + key_len, gfp); > if (!key) > diff --git a/net/sctp/socket.c b/net/sctp/socket.c > index bb5c9ef..afa952e 100644 > --- a/net/sctp/socket.c > +++ b/net/sctp/socket.c > @@ -3144,6 +3144,11 @@ static int sctp_setsockopt_auth_key(struct sock *sk, > goto out; > } > > + if (authkey->sca_keylength > optlen) { > + ret = -EINVAL; > + goto out; Is there a better upper bound check? > asoc = sctp_id2assoc(sk, authkey->sca_assoc_id); > if (!asoc && authkey->sca_assoc_id && sctp_style(sk, UDP)) { > ret = -EINVAL; Thanks, Eugene -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists