lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 02 Apr 2012 08:43:01 +0200 From: Eric Dumazet <eric.dumazet@...il.com> To: Changli Gao <xiaosuo@...il.com> Cc: David Miller <davem@...emloft.net>, kaber@...sh.net, pablo@...filter.org, netfilter-devel@...r.kernel.org, netdev@...r.kernel.org Subject: Re: [PATCH] net: check the length of the data before dereferencing it On Mon, 2012-04-02 at 14:27 +0800, Changli Gao wrote: > On Mon, Apr 2, 2012 at 12:54 PM, Eric Dumazet <eric.dumazet@...il.com> wrote: > > On Mon, 2012-04-02 at 12:47 +0800, Changli Gao wrote: > > > >> Got it. Thanks. FYI, the tcp options are copied to the stack before > >> being parsed. > >> > > > > What do you mean ? > > > > code looks like : > > > > const struct tcphdr *th = tcp_hdr(skb); > > int length = (th->doff * 4) - sizeof(struct tcphdr); > > > > ptr = (const unsigned char *)(th + 1); > > > > > > > > Therefore ptr points somewhere in skb->head ... > > > > > > > > Oh, sorry. I forgot to add the condition when I wrote it down. I mean > the code in netfilter. > > unsigned char buff[(15 * 4) - sizeof(struct tcphdr)]; > const unsigned char *ptr; > int length = (tcph->doff*4) - sizeof(struct tcphdr); > > if (!length) > return; > > ptr = skb_header_pointer(skb, dataoff + sizeof(struct tcphdr), > length, buff); > BUG_ON(ptr == NULL); > Doesnt really save us, skb_header_pointer() copies only if block not directly and fully accessible in skb->head So if skb->head contains exactly the tcp options, we still can read one uninit byte. So potential problem in netfilter too. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists