| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 07 Aug 2010 20:24:16 -0700 (PDT) From: David Miller <davem@...emloft.net> To: dp@...hloadlab.com Cc: kuznet@....inr.ac.ru, jmorris@...ei.org, kaber@...sh.net, yoshfuji@...ux-ipv6.org, pekkas@...core.fi, gilad@...efidence.com, yony@...sleep.com, ori@...sleep.com, ilpo.jarvinen@...sinki.fi, netdev@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH] tcp: no md5sig option size check bug From: Dmitry Popov <dp@...hloadlab.com> Date: Sat, 7 Aug 2010 23:17:52 +0400 > From: Dmitry Popov <dp@...hloadlab.com> > > tcp_parse_md5sig_option doesn't check md5sig option (TCPOPT_MD5SIG) > length, but tcp_v[46]_inbound_md5_hash assume that it's at least 16 > bytes long. > > Signed-off-by: Dmitry Popov <dp@...hloadlab.com> I'll apply this, but the memcmp() we do against this pointer is always safe because there's at least skb_shared_info()'s worth of valid memory past skb->data guarenteed at all times which is much larger than 16 bytes. So at worst we'd access garbage, but never past a valid piece of allocated memory. Thanks. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists