lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <1288548884.3090.14.camel@Dan> Date: Sun, 31 Oct 2010 14:14:44 -0400 From: Dan Rosenberg <drosenberg@...curity.com> To: jchapman@...alix.com Cc: netdev@...r.kernel.org, security@...nel.org Subject: [SECURITY] L2TP send buffer allocation size overflows Both PPPoL2TP (in net/l2tp/l2tp_ppp.c, pppol2tp_sendmsg()) and IPoL2TP (in net/l2tp/l2tp_ip.c, l2tp_ip_sendmsg()) make calls to sock_wmalloc() that perform arithmetic on the size argument without any maximum bound. As a result, by issuing sendto() calls with very large sizes, this allocation size will wrap and result in a small buffer being allocated, leading to ugliness immediately after (probably kernel panics due to bad sk_buff tail position, but possibly kernel heap corruption). This issue was just fixed in the core code with: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=253eacc070b114c2ec1f81b067d2fed7305467b0 Even though this won't be an issue for much longer, it should still be fixed here just in case any paths to calling these functions with large sizes are left open. -Dan -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists