| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 22 Jun 2008 12:32:32 -0700 (PDT)
From: David Miller <davem@...emloft.net>
To: vladislav.yasevich@...com
Cc: netdev@...r.kernel.org, linux-sctp@...r.kernel.org
Subject: Re: [PATCH]: SCTP length validation.
From: Vlad Yasevich <vladislav.yasevich@...com>
Date: Sat, 21 Jun 2008 11:55:19 -0400
> The same vulnerability also exists in sctp_getsockopt_peer_addrs_old().
> It's a bit more difficult to trigger since there is a dependency on
> the peer being multihomed as well, but it's still possible to cause the
> overwrite.
I can't see how that's possible. This case looks harmless to
me.
The kernel side accesses are perfectly protected. The kernel
will only access the actual address list stored via:
list_for_each_entry(from, &asoc->peer.transport_addr_list,
transports) {
...
cnt ++;
if (cnt >= getaddrs.addr_num) break;
}
getaddrs.addr_num = cnt;
Copies are only made to userspace, and the given ->addr_num only
serves as an early break-out from that loop. I mean, take a look,
those lines in the above are the only aaccesses made to the user's
provided addr_num value.
There is no possibility to use strange ->addr_num values
in order to read or write kernel memory outside of the
intended bounds.
I don't even see any value to adding new checks here.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists