lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <AE90C24D6B3A694183C094C60CF0A2F6D8AEDB@saturn3.aculab.com>
Date:	Wed, 23 Nov 2011 14:53:18 -0000
From:	"David Laight" <David.Laight@...LAB.COM>
To:	"Alan Cox" <alan@...rguk.ukuu.org.uk>,
	"Xi Wang" <xi.wang@...il.com>
Cc:	<linux-kernel@...r.kernel.org>, "Joerg Reuter" <jreuter@...na.de>,
	"Ralf Baechle" <ralf@...ux-mips.org>,
	"David Miller" <davem@...emloft.net>, <linux-hams@...r.kernel.org>,
	<netdev@...r.kernel.org>
Subject: RE: [PATCH 1/2] ax25: integer overflows in ax25_setsockopt()

 
> > All these magic numbers come from net/ax25/sysctl_net_ax25.c, where
> > min/max values of each field are set for sysctl.  Is it okay to use
> > them?
> 
> The sysctl range is the 'standard' range, but it's always historically
> been possible to override them in apps for special cases. I'm wary of
> changing that because people do insane things like AX.25 
> bounced off the moon where you need very long timeouts.

It is a long time since I wrote any of the X.25 protocol
stack layers, but I would agree that limiting timers to the
values defined in the standard is probably not a good idea.

Even normal telco's may have decided to use values that
are outside the nominal range.

These timers are almost certainly either 'guard' timers
for missing responses or retransmit timers for 'keepalive'
messages - so allowing much larger values doesn't matter.
I'd only limit them in order to stop the code breaking.

The lower limit (1 second) will be below the limit for the
protocol - but exists to stop the code breaking.

	David


--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ