| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 23 Feb 2010 08:21:25 -0800 From: "Stephens, Allan" <allan.stephens@...driver.com> To: "Neil Horman" <nhorman@...driver.com> Cc: <netdev@...r.kernel.org>, <jon.maloy@...csson.com>, <tipc-discussion@...ts.sourceforge.net>, <davem@...emloft.net> Subject: RE: [PATCH]: tipc: Fix oops on send prior to entering networked mode Neil wrote: > I agree that you patch fixes the exact problem that I > reported here, but theres more to it than that. A quick grep > of the tipc stack reveals the following > symbols: > tipc_bearers > media_list > tipc_local_nodes > bcbearer > bclink > tipc_net.zones > > All of these symbols: > > 1) Are allocated dynamically in tipc_net_start, _after_ > tipc_mode is set to TIPC_NET_MODE > > 2) dereferenced without NULL pointer checks in either the > send path or in the netlink configuration path, both of which > are reachable from user space. > > So your patch fixes the last item on your list, but what > about the others? In fact, I'll bet I can very quickly > change the application to trip over a null tipc_local_nodes > dereference by changing the destination address to be > something within zone 0, cluster 0. The semantics of TIPC addressing don't allow a node address of the form <0.0.N> where N != 0, so this kind of a send ateempt should be caught and handled by TIPC. However, you've already found one missing error check, so it's certainly worth trying it out! Regards, Al -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists