lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <1355761924-18948-1-git-send-email-dborkman@redhat.com>
Date:	Mon, 17 Dec 2012 17:32:04 +0100
From:	Daniel Borkmann <dborkman@...hat.com>
To:	Vlad Yasevich <vyasevich@...il.com>
Cc:	netdev@...r.kernel.org, lksctp-developers@...ts.sourceforge.net,
	Daniel Borkmann <dborkman@...hat.com>
Subject: [PATCH lksctp-tools] sctp_send: fix msg_control data corruption

The byte array outcmsg is allocated on the stack within the if-block
that test for a valif sctp_sndrcvinfo structure. There, it is assigned
to outmsg.msg_control, which is later on after leaving the if-block
passed to sendmsg. With this minimal example, the following is
happening:

int main(void)
{
	int fd;
	struct sctp_sndrcvinfo sndinfo;

	fd = socket(AF_INET, SOCK_SEQPACKET, IPPROTO_SCTP);
	assert(fd > 0);

	sctp_send(fd, "bla", strlen("bla") + 1, &sndinfo, 0);

	return 0;
}

strace ./a.out before this patch:

  sendmsg(3, {msg_name(0)=NULL, msg_iov(1)=[{"bla\0", 4}],
          msg_controllen=48, {cmsg_len=3364590592, cmsg_level=0x4003e8
          /* SOL_??? */, cmsg_type=, ...}, msg_flags=0}, 0)

  --> cmsg_len corrupted

strace ./a.out after this patch:

  sendmsg(3, {msg_name(0)=NULL, msg_iov(1)=[{"bla\0", 4}],
          msg_controllen=48, {cmsg_len=48, cmsg_level=0x84 /* SOL_??? */,
                              cmsg_type=, ...}, msg_flags=0}, 0)

This is basically the case since 2005, introduced in the commit 91239acf
("Add sctp_send() API support and testcases"). However, probably this
changed due to a different compiler behaviour / optimization (?), since
it was not visible / affected by older Linux versions.

Cc: Vlad Yasevich <vyasevich@...il.com>
Signed-off-by: Daniel Borkmann <dborkman@...hat.com>
---
 src/lib/sendmsg.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/lib/sendmsg.c b/src/lib/sendmsg.c
index 1de592d..9046174 100644
--- a/src/lib/sendmsg.c
+++ b/src/lib/sendmsg.c
@@ -76,6 +76,7 @@ sctp_send(int s, const void *msg, size_t len,
 {
 	struct msghdr outmsg;
 	struct iovec iov;
+	char outcmsg[CMSG_SPACE(sizeof(struct sctp_sndrcvinfo))];
 
 	outmsg.msg_name = NULL;
 	outmsg.msg_namelen = 0;
@@ -86,7 +87,6 @@ sctp_send(int s, const void *msg, size_t len,
 	outmsg.msg_controllen = 0;
 
 	if (sinfo) {	
-		char outcmsg[CMSG_SPACE(sizeof(struct sctp_sndrcvinfo))];
 		struct cmsghdr *cmsg;
 
 		outmsg.msg_control = outcmsg;
-- 
1.7.11.7

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ