| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1333338345.2325.6591.camel@edumazet-glaptop> Date: Mon, 02 Apr 2012 05:45:45 +0200 From: Eric Dumazet <eric.dumazet@...il.com> To: David Miller <davem@...emloft.net> Cc: xiaosuo@...il.com, kaber@...sh.net, pablo@...filter.org, netfilter-devel@...r.kernel.org, netdev@...r.kernel.org Subject: Re: [PATCH] net: check the length of the data before dereferencing it On Sun, 2012-04-01 at 23:29 -0400, David Miller wrote: > From: Eric Dumazet <eric.dumazet@...il.com> > Date: Mon, 02 Apr 2012 05:19:33 +0200 > > >> @@ -3845,6 +3845,8 @@ void tcp_parse_options(const struct sk_buff *skb, struct tcp_options_received *o > >> length--; > >> continue; > >> default: > >> + if (length < 2) > >> + return; > >> opsize = *ptr++; > >> if (opsize < 2) /* "silly options" */ > >> return; > > > > Acked-by: Eric Dumazet <eric.dumazet@...il.com> > > Tag Eric, you're it. > > You ACK'd this patch, so you get to show how this is actually able > to cause some kind of problem. > > I assert that this is adding a useless test, that doesn't fix any kind > of possible crash or misbehavior. If length == 1 at the default:, the > code will absolutely do the right thing. > > Prove me wrong. No problem. You can have NOP,NOP,NOP,EVIL-OPTION initial length=4 (multiple of 4) We can read 5 bytes, and access 'out of bound' memory. Usually not a problem since we have many bytes after our head. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists