| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20120630121748.GD22767@elgon.mountain> Date: Sat, 30 Jun 2012 15:17:48 +0300 From: Dan Carpenter <dan.carpenter@...cle.com> To: Vlad Yasevich <vyasevich@...il.com> Cc: linux-sctp@...r.kernel.org, netdev@...r.kernel.org Subject: possible integer underflow in __sctp_auth_cid() In 555d3d5d "SCTP: Fix chunk acceptance when no authenticated chunks were listed.", we added a check for if (param->param_hdr.length == 0). Shouldn't that check be a check for if (param->param_hdr.length < sizeos(sizeof(sctp_paramhdr_t)))? Otherwise, when we do the substraction on the next line we would unintentionally end up with a high positive number. I had a similar question about sctp_auth_ep_add_chunkid(): net/sctp/auth.c 770 /* Check if we can add this chunk to the array */ 771 param_len = ntohs(p->param_hdr.length); 772 nchunks = param_len - sizeof(sctp_paramhdr_t); 773 if (nchunks == SCTP_NUM_CHUNK_TYPES) 774 return -EINVAL; 775 776 p->chunks[nchunks] = chunk_id; If param_len is less than sizeof(sctp_paramhdr_t) we could write past the end of the array. There are a couple other places with this same subtraction as well. regards, dan carpenter -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists