lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 16 May 2004 03:24:08 +0400 From: "Evgeny Demidov" <demidov@...g.net> To: full-disclosure@...ts.netsys.com Cc: bugtraq@...urityfocus.com Subject: Re: Linux Kernel sctp_setsockopt() Integer Overflow Hello, >On Sat, 15 May 2004 23:07:00 +0200 (CEST) > Jirka Kosina <jikos@...os.cz> wrote: >On Sat, 15 May 2004, Michael Tokarev wrote: > >> But kmalloc(0) will return NULL, and the whole >>setsockopt >> will finish with errno set to ENOMEM. >> >> From 2.4 mm/slab.c: >> void * kmalloc (size_t size, int flags) >> { >> cache_sizes_t *csizep = cache_sizes; >> >> for (; csizep->cs_size; csizep++) { >> if (size > csizep->cs_size) >> continue; >> return __kmem_cache_alloc(flags & >>GFP_DMA ? >> csizep->cs_dmacachep : >>csizep->cs_cachep, flags); >> } >> return NULL; >> } > >How did you come from the above snippet of the code to >the idea that >kmalloc(0) returns NULL? > >It allocates the number of bytes equal to the closest >larger value of >cache_sizes->cs_size entries ... so on typical system >this would be >something like 32 or 64 bytes, depending on the page size >(see >include/linux/kmalloc_sizes.h) ... and of course returns >pointer to this >data, which is definitely not NULL. > Nice advisory, there are couple of bugs like this one ;-), but I always thought that negative 'optlen' values are filtered out in sys_setsockopt (net/socket.c): <snip> asmlinkage long sys_setsockopt(int fd, int level, int optname, char *optval, int optlen) { int err; struct socket *sock; [!] if (optlen < 0) return -EINVAL; if ((sock = sockfd_lookup(fd, &err))!=NULL) { if (level == SOL_SOCKET) err=sock_setsockopt(sock,level,optname,optval,optlen); else err=sock->ops->setsockopt(sock, level, optname, optval, optlen); sockfd_put(sock); } return err; } </snip> Best regards -Evgeny Demidov _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists