lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 7 Aug 2010 23:17:52 +0400 From: Dmitry Popov <dp@...hloadlab.com> To: "David S. Miller" <davem@...emloft.net>, Alexey Kuznetsov <kuznet@....inr.ac.ru>, James Morris <jmorris@...ei.org>, Patrick McHardy <kaber@...sh.net>, Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org> Cc: "Pekka Savola (ipv6)" <pekkas@...core.fi>, Gilad Ben-Yossef <gilad@...efidence.com>, Yony Amit <yony@...sleep.com>, Ori Finkelman <ori@...sleep.com>, Ilpo Järvinen <ilpo.jarvinen@...sinki.fi>, netdev@...r.kernel.org, linux-kernel@...r.kernel.org Subject: [PATCH] tcp: no md5sig option size check bug From: Dmitry Popov <dp@...hloadlab.com> tcp_parse_md5sig_option doesn't check md5sig option (TCPOPT_MD5SIG) length, but tcp_v[46]_inbound_md5_hash assume that it's at least 16 bytes long. Signed-off-by: Dmitry Popov <dp@...hloadlab.com> --- net/ipv4/tcp_input.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index 3c426cb..e663b78 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -3930,7 +3930,7 @@ u8 *tcp_parse_md5sig_option(struct tcphdr *th) if (opsize < 2 || opsize > length) return NULL; if (opcode == TCPOPT_MD5SIG) - return ptr; + return opsize == TCPOLEN_MD5SIG ? ptr : NULL; } ptr += opsize - 2; length -= opsize; -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists