lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Thu, 27 Mar 2008 23:58:42 +0100
From:	Thomas Graf <tgraf@...g.ch>
To:	davem@...emloft.net
Cc:	netdev@...r.kernel.org
Subject: [ESP]: Ensure IV is in linear part of the skb to avoid BUG() due to OOB access

ESP does not account for the IV size when calling pskb_may_pull() to
ensure everything it accesses directly is within the linear part of a
potential fragment. This results in a BUG() being triggered when the
both the IPv4 and IPv6 ESP stack is fed with an skb where the first
fragment ends between the end of the esp header and the end of the IV.

This bug was found by Dirk Nehring <dnehring@....net> .

Signed-off-by: Thomas Graf <tgraf@...g.ch>

Index: net-2.6/net/ipv4/esp4.c
===================================================================
--- net-2.6.orig/net/ipv4/esp4.c	2008-03-27 23:47:48.000000000 +0100
+++ net-2.6/net/ipv4/esp4.c	2008-03-27 23:47:58.000000000 +0100
@@ -336,7 +336,7 @@
 	struct scatterlist *asg;
 	int err = -EINVAL;
 
-	if (!pskb_may_pull(skb, sizeof(*esph)))
+	if (!pskb_may_pull(skb, sizeof(*esph) + crypto_aead_ivsize(aead)))
 		goto out;
 
 	if (elen <= 0)
Index: net-2.6/net/ipv6/esp6.c
===================================================================
--- net-2.6.orig/net/ipv6/esp6.c	2008-03-27 23:47:48.000000000 +0100
+++ net-2.6/net/ipv6/esp6.c	2008-03-27 23:47:58.000000000 +0100
@@ -282,7 +282,7 @@
 	struct scatterlist *sg;
 	struct scatterlist *asg;
 
-	if (!pskb_may_pull(skb, sizeof(*esph))) {
+	if (!pskb_may_pull(skb, sizeof(*esph) + crypto_aead_ivsize(aead))) {
 		ret = -EINVAL;
 		goto out;
 	}
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ