lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4810FDB6.2060805@gmail.com>
Date:	Thu, 24 Apr 2008 14:37:58 -0700
From:	Tom Quetchenbach <virtualphtn@...il.com>
To:	netdev@...r.kernel.org
Subject: [PATCH net-2.6] tcp_probe buffer overflow and incorrect return value

tcp_probe has a bounds-checking bug that causes many programs (less, python) to
crash reading /proc/net/tcp_probe. When it outputs a log line to the reader, it
only checks if that line alone will fit in the reader's buffer, rather than that
line and all the previous lines it has already written.

tcpprobe_read also returns the wrong value if copy_to_user fails--it just passes
on the return value of copy_to_user (number of bytes not copied), which makes a
failure look like a success.

This patch fixes the buffer overflow and sets the return value to -EFAULT if
copy_to_user fails.

Patch is against latest net-2.6; tested briefly and seems to fix the crashes in
less and python.

Signed-off-by: Tom Quetchenbach <virtualphtn@...il.com>


diff --git a/net/ipv4/tcp_probe.c b/net/ipv4/tcp_probe.c
index 1c50959..5ff0ce6 100644
--- a/net/ipv4/tcp_probe.c
+++ b/net/ipv4/tcp_probe.c
@@ -190,19 +190,18 @@ static ssize_t tcpprobe_read(struct file
 
 		width = tcpprobe_sprint(tbuf, sizeof(tbuf));
 
-		if (width < len)
+		if (cnt + width < len)
 			tcp_probe.tail = (tcp_probe.tail + 1) % bufsize;
 
 		spin_unlock_bh(&tcp_probe.lock);
 
 		/* if record greater than space available
 		   return partial buffer (so far) */
-		if (width >= len)
+		if (cnt + width >= len)
 			break;
 
-		error = copy_to_user(buf + cnt, tbuf, width);
-		if (error)
-			break;
+		if (copy_to_user(buf + cnt, tbuf, width))
+			return -EFAULT;
 		cnt += width;
 	}
 
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ