| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <BANLkTi=uBDOQOJJMGn6V0Ne7OjQ7kGc-2w@mail.gmail.com> Date: Mon, 16 May 2011 23:06:32 +0200 From: Aristide Fattori <joystick@...urity.dico.unimi.it> To: netdev@...r.kernel.org Cc: roberto.paleari@...ze.net Subject: Null pointer dereference in icmp_send Hi everybody, in function icmp_send() (net/ipv4/icmp.c), the parameter passed to dev_net() function is not properly validated. This can lead to a NULL pointer dereference that crashes the kernel. The bug can be triggered remotely, by flooding the target with fragmented IPv4 packets. Important fields in the IP packet are: * Flags: the MF flag must be set. * Fragment ID: using pseudo-random values for this field quickly fills fragmented queues in the victim's kernel, as it is unable to easily reassemble received packets. * TOS: using pseudo-random values for this field triggers the creation of more than one route cache entry for the same destination address, increasing the chances of incurring in the error condition described before. Other fields of the packet do not really matter, and they can be set to arbitrary values. If you are interested, we can provide a small and very dirty python script that easily triggers the error condition. Greetings, Aristide Fattori Roberto Paleari -- GnuPG Key on keyserver.pgp.com ID 0x25578128 http://security.dico.unimi.it/~joystick/ -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists