lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 12 Apr 2011 15:15:45 +0200
From:	Eric Dumazet <eric.dumazet@...il.com>
To:	Jan Lübbe <jluebbe@...ian.org>
Cc:	Scot Doyle <lkml@...tdoyle.com>,
	Stephen Hemminger <shemminger@...tta.com>,
	Hiroaki SHIMODA <shimoda.hiroaki@...il.com>,
	netdev@...r.kernel.org
Subject: Re: Kernel panic when using bridge

Le mardi 12 avril 2011 à 15:02 +0200, Jan Lübbe a écrit :
> Hi! 
> 
> On Tue, 2011-04-12 at 13:49 +0200, Eric Dumazet wrote:
> > Considering recent changes in ip_options_echo() I would suggest to add
> > following patch and/or revert commit 8628bd8af7c4c14f40
> > (ipv4: Fix IP timestamp option (IPOPT_TS_PRESPEC) handling in
> > ip_options_echo())
> 
> I've read this thread, but I'm not sure why my patch is related to these
> kernel panics. The behavior is only changed for packets with the
> timestamp option in prespecified addresses mode. Even then, it shouldn't
> cause ip_options_build to write to unallocated memory later.
> 
> > diff --git a/net/ipv4/ip_options.c b/net/ipv4/ip_options.c
> > index 28a736f..35f2bf9 100644
> > --- a/net/ipv4/ip_options.c
> > +++ b/net/ipv4/ip_options.c
> > @@ -200,6 +200,11 @@ int ip_options_echo(struct ip_options * dopt, struct sk_buff * skb)
> >                 *dptr++ = IPOPT_END;
> >                 dopt->optlen++;
> >         }
> > +       if (unlikely(dopt->optlen > 40)) {
> > +               pr_err("ip_options_echo() fatal error optlen=%u > 40\n", dopt->optlen);
> > +               print_hex_dump(KERN_ERR, "ip options: ", DUMP_PREFIX_OFFSET,
> > +                       16, 1, dopt->__data, dopt->optlen, false);
> > +       }
> >         return 0;
> >  }
> 
> Here you check dopt->optlen, which certainly should be 40 at most. The
> calculation of dopt->optlen wasn't changed by my patch, though.

Check again the thread Jan.

Scot is using a tool (IP Stack Checker's tcpsic) to forge random tcp
packets.

Maybe your patch is fine but requires a change in a previous function,
to make sure we deny some crazy packet before generating an ip_options
with more than 40 bytes, in an icmp_send() reply.

I took a look at this ip_options stuff and must say its really hard to
even _read_ the code. Understanding it might need several days or a new
brain ?

I cannot Ack or Nack your patch, I must admit it. Isnt it frightening ?



--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ