| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 19 Mar 2017 22:25:00 -0700
From: Eric Dumazet <eric.dumazet@...il.com>
To: Anarcheuz Fritz <anarcheuz@...il.com>,
Ben Hutchings <ben@...adent.org.uk>
Cc: davem@...emloft.net, security@...nel.org, netdev@...r.kernel.org
Subject: Re: PROBLEM: null-ptr deref in ip_options_echo may lead to denial
of service
On Mon, 2017-03-20 at 12:59 +0800, Anarcheuz Fritz wrote:
> Hi David,
>
>
> While working on some legacy kernel I stumbled upon a null-ptr deref in
> ip_options_echo. The bug has been verified on the latest version
> 3.2.87 from the supported long-term branch.
>
Fixed in commit 34b2cef20f19c87999fff3da4071e66937db9644
("ipv4: keep skb->dst around in presence of IP options")
For 3.2, since d826eb14ecef was not backported, following patch should
do it.
(Bug origin was f84af32cbca70 ("net: ip_queue_rcv_skb() helper"))
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index b3648bbef0da..a6e1eeb02267 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -1009,7 +1009,8 @@ e_inval:
*/
int ip_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
{
- if (!(inet_sk(sk)->cmsg_flags & IP_CMSG_PKTINFO))
+ if (!(inet_sk(sk)->cmsg_flags & IP_CMSG_PKTINFO) &&
+ !IPCB(skb)->opt.optlen)
skb_dst_drop(skb);
return sock_queue_rcv_skb(sk, skb);
}
Powered by blists - more mailing lists