lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date:	Mon, 17 Dec 2012 17:32:04 +0100
From:	Daniel Borkmann <>
To:	Vlad Yasevich <>
	Daniel Borkmann <>
Subject: [PATCH lksctp-tools] sctp_send: fix msg_control data corruption

The byte array outcmsg is allocated on the stack within the if-block
that test for a valif sctp_sndrcvinfo structure. There, it is assigned
to outmsg.msg_control, which is later on after leaving the if-block
passed to sendmsg. With this minimal example, the following is

int main(void)
	int fd;
	struct sctp_sndrcvinfo sndinfo;

	assert(fd > 0);

	sctp_send(fd, "bla", strlen("bla") + 1, &sndinfo, 0);

	return 0;

strace ./a.out before this patch:

  sendmsg(3, {msg_name(0)=NULL, msg_iov(1)=[{"bla\0", 4}],
          msg_controllen=48, {cmsg_len=3364590592, cmsg_level=0x4003e8
          /* SOL_??? */, cmsg_type=, ...}, msg_flags=0}, 0)

  --> cmsg_len corrupted

strace ./a.out after this patch:

  sendmsg(3, {msg_name(0)=NULL, msg_iov(1)=[{"bla\0", 4}],
          msg_controllen=48, {cmsg_len=48, cmsg_level=0x84 /* SOL_??? */,
                              cmsg_type=, ...}, msg_flags=0}, 0)

This is basically the case since 2005, introduced in the commit 91239acf
("Add sctp_send() API support and testcases"). However, probably this
changed due to a different compiler behaviour / optimization (?), since
it was not visible / affected by older Linux versions.

Cc: Vlad Yasevich <>
Signed-off-by: Daniel Borkmann <>
 src/lib/sendmsg.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/lib/sendmsg.c b/src/lib/sendmsg.c
index 1de592d..9046174 100644
--- a/src/lib/sendmsg.c
+++ b/src/lib/sendmsg.c
@@ -76,6 +76,7 @@ sctp_send(int s, const void *msg, size_t len,
 	struct msghdr outmsg;
 	struct iovec iov;
+	char outcmsg[CMSG_SPACE(sizeof(struct sctp_sndrcvinfo))];
 	outmsg.msg_name = NULL;
 	outmsg.msg_namelen = 0;
@@ -86,7 +87,6 @@ sctp_send(int s, const void *msg, size_t len,
 	outmsg.msg_controllen = 0;
 	if (sinfo) {	
-		char outcmsg[CMSG_SPACE(sizeof(struct sctp_sndrcvinfo))];
 		struct cmsghdr *cmsg;
 		outmsg.msg_control = outcmsg;

To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to
More majordomo info at

Powered by blists - more mailing lists