| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 21 Nov 2006 23:21:32 +0100
From: "Jesper Juhl" <jesper.juhl@...il.com>
To: "David Rientjes" <rientjes@...washington.edu>
Cc: linux-kernel@...r.kernel.org,
"Michael Hipp" <Michael.Hipp@...dent.uni-tuebingen.de>,
"Karsten Keil" <kkeil@...e.de>,
"Kai Germaschewski" <kai.germaschewski@....de>,
isdn4linux@...tserv.isdn4linux.de, starvik@...s.com,
dev-etrax@...s.com
Subject: Re: [PATCH] ISDN: Avoid a potential NULL ptr deref in ippp
On 21/11/06, David Rientjes <rientjes@...washington.edu> wrote:
> On Tue, 21 Nov 2006, Jesper Juhl wrote:
>
> > Any reason why we can't apply the patch below?
> >
> > On 30/10/06, Jesper Juhl <jesper.juhl@...il.com> wrote:
> > >
> > > There's a potential problem in isdn_ppp.c::isdn_ppp_decompress().
> > > dev_alloc_skb() may fail and return NULL. If it does we will be passing a
> > > NULL skb_out to ipc->decompress() and may also end up
> > > dereferencing a NULL pointer at
> > > *proto = isdn_ppp_strip_proto(skb_out);
> > > Correct this by testing 'skb_out' against NULL early and bail out.
> > >
> > >
> > > Signed-off-by: Jesper Juhl <jesper.juhl@...il.com>
> > > ---
> > >
> > > drivers/isdn/i4l/isdn_ppp.c | 5 +++++
> > > 1 files changed, 5 insertions(+), 0 deletions(-)
> > >
> > > diff --git a/drivers/isdn/i4l/isdn_ppp.c b/drivers/isdn/i4l/isdn_ppp.c
> > > index 119412d..5a97ce6 100644
> > > --- a/drivers/isdn/i4l/isdn_ppp.c
> > > +++ b/drivers/isdn/i4l/isdn_ppp.c
> > > @@ -2536,6 +2536,11 @@ static struct sk_buff *isdn_ppp_decompre
> > > rsparm.maxdlen = IPPP_RESET_MAXDATABYTES;
> > >
> > > skb_out = dev_alloc_skb(is->mru + PPP_HDRLEN);
> > > + if (!skb_out) {
> > > + kfree_skb(skb);
> > > + printk(KERN_ERR "ippp: decomp memory allocation
> > > failure\n");
> > > + return NULL;
> > > + }
> > > len = ipc->decompress(stat, skb, skb_out, &rsparm);
> > > kfree_skb(skb);
> > > if (len <= 0) {
> > >
> >
>
> I'm not sure that there's a problem with the original code. If skb_out
> cannot be allocated, the ipc->decompress function should return NULL
> because struct ippp_struct *master would have been passed as NULL. So len
> would be 0 upon return, skb would be freed, and the following switch
> statement would catch the error. Notice it's not a bug to pass NULL to
> kfree_skb() later.
>
Ok, I see your point. There may not be an actual bug here, but
couldn't it still be considered an improvement, given that with my
patch we'll a) print a warning that we ran into a memory shortage
problem, and b) we save a call to ipc->decompress() and some switch
logic in the failing case. ???
I still think the patch makes sense. Perhaps not for the reasons
initially stated, but it adds an error message for a condition that
people may want to see and it errors out a bit earlier in the error
case.
--
Jesper Juhl <jesper.juhl@...il.com>
Don't top-post http://www.catb.org/~esr/jargon/html/T/top-post.html
Plain text mails only, please http://www.expita.com/nomime.html
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists