lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20160113075400.GA12580@fi-ourus-dhcp00977.emea.nsn-net.net>
Date:	Wed, 13 Jan 2016 09:54:12 +0200
From:	Matti Vaittinen <matti.vaittinen@...ia.com>
To:	"David S. Miller" <davem@...emloft.net>,
	Johannes Berg <johannes.berg@...el.com>,
	Jiri Benc <jbenc@...hat.com>,
	Matti Vaittinen <matti.vaittinen@...ia.com>
Cc:	netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
	Sverdlin Alexander <alexander.sverdlin@...ia.com>,
	Pennanen Teppo Olavi <teppo.o.pennanen@...ia.com>
Subject: [PATCH v2 1/1] net: netlink: Fix multicast group storage allocation
 for families with more than one groups

Hello again,

      Second version, Fixed the 'off by one' bug spotted by David.

      Br.
        Matti Vaittinen

Multicast groups are stored in global buffer. Check for needed buffer size
incorrectly compares buffer size to first id for family. This means that
for families with more than one mcast id one may allocate too small buffer
and end up writing rest of the groups to some unallocated memory. Fix the
buffer size check to compare allocated space to last mcast id for the
family.

Tested on ARM using kernel 3.14

Signed-off-by: Matti Vaittinen <matti.vaittinen@...ia.com>
---
 net/netlink/genetlink.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netlink/genetlink.c b/net/netlink/genetlink.c
index bc0e504..5e113ba 100644
--- a/net/netlink/genetlink.c
+++ b/net/netlink/genetlink.c
@@ -185,7 +185,7 @@ static int genl_allocate_reserve_groups(int n_groups, int *first_id)
 			}
 		}
 
-		if (id >= mc_groups_longs * BITS_PER_LONG) {
+		if (id + n_groups > mc_groups_longs * BITS_PER_LONG) {
 			unsigned long new_longs = mc_groups_longs +
 						  BITS_TO_LONGS(n_groups);
 			size_t nlen = new_longs * sizeof(unsigned long);
-- 
2.1.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ