| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4A9BD0C5.4010600@trash.net>
Date: Mon, 31 Aug 2009 15:31:49 +0200
From: Patrick McHardy <kaber@...sh.net>
To: Roel Kluin <roel.kluin@...il.com>
CC: "David S. Miller" <davem@...emloft.net>, netdev@...r.kernel.org,
Andrew Morton <akpm@...ux-foundation.org>
Subject: Re: [PATCH] ip6tables: Read outside array bounds
Roel Kluin wrote:
> Check bounds before reading from the s6_addr array. It read 1 past
> the end at s6_addr[16] and eui64[] was also read 1 past the end.
>
> diff --git a/net/ipv6/netfilter/ip6t_eui64.c b/net/ipv6/netfilter/ip6t_eui64.c
> index db610ba..7b40a20 100644
> --- a/net/ipv6/netfilter/ip6t_eui64.c
> +++ b/net/ipv6/netfilter/ip6t_eui64.c
> @@ -43,8 +43,8 @@ eui64_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
> eui64[0] ^= 0x02;
>
> i = 0;
> - while (ipv6_hdr(skb)->saddr.s6_addr[8 + i] == eui64[i]
> - && i < 8)
> + while (i < 8 && ipv6_hdr(skb)->saddr.s6_addr[8 + i] ==
> + eui64[i])
> i++;
>
> if (i == 8)
Nice catch, thanks. We might as well use memcmp though, so I've
committed this patch:
View attachment "x" of type "text/plain" (1204 bytes)
Powered by blists - more mailing lists