lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1305581236.9466.4.camel@edumazet-laptop>
Date:	Mon, 16 May 2011 23:27:16 +0200
From:	Eric Dumazet <eric.dumazet@...il.com>
To:	Aristide Fattori <joystick@...urity.dico.unimi.it>
Cc:	netdev@...r.kernel.org, roberto.paleari@...ze.net
Subject: Re: Null pointer dereference in icmp_send

Le lundi 16 mai 2011 à 23:06 +0200, Aristide Fattori a écrit :
> Hi everybody,
> 
> in function icmp_send() (net/ipv4/icmp.c), the parameter passed to
> dev_net() function is not properly validated. This can lead to a NULL
> pointer dereference that crashes the kernel. The bug can be triggered
> remotely, by flooding the target with fragmented IPv4 packets.
> Important fields in the IP packet are:
>  * Flags: the MF flag must be set.
>  * Fragment ID: using pseudo-random values for this field quickly
> fills fragmented queues in the victim's kernel, as it is unable to
> easily reassemble received packets.
>  * TOS: using pseudo-random values for this field triggers the
> creation of more than one route cache entry for the same destination
> address, increasing the chances of incurring in the error condition
> described before.
> Other fields of the packet do not really matter, and they can be set
> to arbitrary values.
> 
> If you are interested, we can provide a small and very dirty python
> script that easily triggers the error condition.
> 

Hi

You forgot to tell us which linux version you used ?

We had some fixes lately in this area.

Thanks


--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ