[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <web-37301778@cgp.agava.net>
Date: Sun, 16 May 2004 03:24:08 +0400
From: "Evgeny Demidov" <demidov@...g.net>
To: full-disclosure@...ts.netsys.com
Cc: bugtraq@...urityfocus.com
Subject: Re: Linux Kernel sctp_setsockopt() Integer Overflow
Hello,
>On Sat, 15 May 2004 23:07:00 +0200 (CEST)
> Jirka Kosina <jikos@...os.cz> wrote:
>On Sat, 15 May 2004, Michael Tokarev wrote:
>
>> But kmalloc(0) will return NULL, and the whole
>>setsockopt
>> will finish with errno set to ENOMEM.
>>
>> From 2.4 mm/slab.c:
>> void * kmalloc (size_t size, int flags)
>> {
>> cache_sizes_t *csizep = cache_sizes;
>>
>> for (; csizep->cs_size; csizep++) {
>> if (size > csizep->cs_size)
>> continue;
>> return __kmem_cache_alloc(flags &
>>GFP_DMA ?
>> csizep->cs_dmacachep :
>>csizep->cs_cachep, flags);
>> }
>> return NULL;
>> }
>
>How did you come from the above snippet of the code to
>the idea that
>kmalloc(0) returns NULL?
>
>It allocates the number of bytes equal to the closest
>larger value of
>cache_sizes->cs_size entries ... so on typical system
>this would be
>something like 32 or 64 bytes, depending on the page size
>(see
>include/linux/kmalloc_sizes.h) ... and of course returns
>pointer to this
>data, which is definitely not NULL.
>
Nice advisory, there are couple of bugs like this one ;-),
but I always thought that negative 'optlen' values are
filtered out in sys_setsockopt (net/socket.c):
<snip>
asmlinkage long sys_setsockopt(int fd, int level, int
optname, char *optval, int optlen)
{
int err;
struct socket *sock;
[!] if (optlen < 0)
return -EINVAL;
if ((sock = sockfd_lookup(fd, &err))!=NULL)
{
if (level == SOL_SOCKET)
err=sock_setsockopt(sock,level,optname,optval,optlen);
else
err=sock->ops->setsockopt(sock,
level, optname, optval, optlen);
sockfd_put(sock);
}
return err;
}
</snip>
Best regards
-Evgeny Demidov
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists