| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20080331084522.5c9a2732@extreme>
Date: Mon, 31 Mar 2008 08:45:22 -0700
From: Stephen Hemminger <shemminger@...ux-foundation.org>
To: netdev@...r.kernel.org
Subject: Fw: [Bug 10371] New: On big-endian machines getsockopt returns 0
(via optval) for optlen==1 when returned value should 255
Begin forwarded message:
Date: Mon, 31 Mar 2008 08:16:05 -0700 (PDT)
From: bugme-daemon@...zilla.kernel.org
To: shemminger@...ux-foundation.org
Subject: [Bug 10371] New: On big-endian machines getsockopt returns 0 (via optval) for optlen==1 when returned value should 255
http://bugzilla.kernel.org/show_bug.cgi?id=10371
Summary: On big-endian machines getsockopt returns 0 (via optval)
for optlen==1 when returned value should 255
Product: Networking
Version: 2.5
KernelVersion: 2.6.24
Platform: All
OS/Version: Linux
Tree: Mainline
Status: NEW
Severity: normal
Priority: P1
Component: IPV4
AssignedTo: shemminger@...ux-foundation.org
ReportedBy: M.Piechaczek@...osys.tv
Latest working kernel version:
Earliest failing kernel version: all 2.6
Distribution:
Hardware Environment:
Software Environment:
Problem Description:
On big-endian machines getsockopt fails for optlen==1 when returned value is
255.
Eg. after calling
unsigned char ttl = 255;
socklen_t len = sizeof(ttl);
setsockopt(socket, IPPROTO_IP, IP_MULTICAST_TTL, &ttl, &len);
the following call will fail:
getsockopt(socket, IPPROTO_IP, IP_MULTICAST_TTL, &ttl, &len);
"ttl" returned will be 0.
It's because of bug in /net/ipv4/ip_sockglue.c:
static int do_ip_getsockopt(struct sock *sk, int level, int optname,
char __user *optval, int __user *optlen)
....
if (len < sizeof(int) && len > 0 && val>=0 && val<255) {
unsigned char ucval = (unsigned char)val;
len = 1;
if (put_user(len, optlen))
return -EFAULT;
if (copy_to_user(optval,&ucval,1))
return -EFAULT;
} else {
len = min_t(unsigned int, sizeof(int), len);
if (put_user(len, optlen))
return -EFAULT;
if (copy_to_user(optval,&val,len))
return -EFAULT;
}
return 0;
}
The comparision in if-statement should be:
if (len < sizeof(int) && len > 0 && val>=0 && val<=255)
Otherwise on big-endian machines copy_to_user(optval,&val,len) routine copies
first (highest) byte which is 0 in that case.
This bug does not occur on low-endian machines since
copy_to_user(optval,&val,len) copies right (lowest) byte in that case.
--
Configure bugmail: http://bugzilla.kernel.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists