| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1269208774.3004.15.camel@edumazet-laptop>
Date: Sun, 21 Mar 2010 22:59:34 +0100
From: Eric Dumazet <eric.dumazet@...il.com>
To: James Morris <jmorris@...ei.org>
Cc: netdev@...r.kernel.org
Subject: Re: [PATCH] Netfilter: Fix integer overflow in
net/ipv6/netfilter/ip6_tables.c (fwd)
Le lundi 22 mars 2010 à 08:50 +1100, James Morris a écrit :
> ---------- Forwarded message ----------
> Date: Sat, 20 Mar 2010 22:32:40 +0800
> From: wzt.wzt@...il.com
> To: linux-kernel@...r.kernel.org
> Cc: netfilter-devel@...r.kernel.org, kaber@...sh.net
> Subject: [PATCH] Netfilter: Fix integer overflow in
> net/ipv6/netfilter/ip6_tables.c
>
> The get.size field in the get_entries() interface is not bounded
> correctly. The size is used to determine the total entry size.
> The size is bounded, but can overflow and so the size checks may
> not be sufficient to catch invalid size. Fix it by catching size
> values that would cause overflows before calculating the size.
>
> Signed-off-by: Zhitong Wang <zhitong.wangzt@...baba-inc.com>
>
Unless I am wrong, this patch is not necessary, since we do a bit
later :
if (get.size == private->size)
ret = copy_entries_to_user(private->size,
t, uptr->entrytable);
else {
duprintf("get_entries: I've got %u not %u!\n",
private->size, get.size);
ret = -EAGAIN;
}
So if get.size doesnt match private->size (kernel certified), we exit
with an error. No calculation, no overflow involved.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists