| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20101028060529.GX6062@bicker>
Date: Thu, 28 Oct 2010 08:05:29 +0200
From: Dan Carpenter <error27@...il.com>
To: Nelson Elhage <nelhage@...lice.com>
Cc: Eric Dumazet <eric.dumazet@...il.com>,
"David S. Miller" <davem@...emloft.net>,
Robert Olsson <robert.olsson@....uu.se>,
Andy Shevchenko <andy.shevchenko@...il.com>,
netdev@...r.kernel.org
Subject: [patch v3] fix stack overflow in pktgen_if_write()
Nelson Elhage says he was able to oops both amd64 and i386 test
machines with 8k writes to the pktgen file. Let's just allocate the
buffer on the heap instead of on the stack.
This can only be triggered by root so there are no security issues here.
Reported-by: Nelson Elhage <nelhage@...lice.com>
Signed-off-by: Dan Carpenter <error27@...il.com>
---
v3: just use kmalloc()
diff --git a/net/core/pktgen.c b/net/core/pktgen.c
index 2c0df0f..c8d3620 100644
--- a/net/core/pktgen.c
+++ b/net/core/pktgen.c
@@ -887,12 +887,17 @@ static ssize_t pktgen_if_write(struct file *file,
i += len;
if (debug) {
- char tb[count + 1];
+ char *tb;
+
+ tb = kmalloc(count + 1, GFP_KERNEL);
+ if (!tb)
+ return -ENOMEM;
if (copy_from_user(tb, user_buffer, count))
return -EFAULT;
tb[count] = 0;
printk(KERN_DEBUG "pktgen: %s,%lu buffer -:%s:-\n", name,
(unsigned long)count, tb);
+ kfree(tb);
}
if (!strcmp(name, "min_pkt_size")) {
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists