| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20131220181143.GA10997@order.stressinduktion.org>
Date: Fri, 20 Dec 2013 19:11:43 +0100
From: Hannes Frederic Sowa <hannes@...essinduktion.org>
To: Florian Westphal <fw@...len.de>
Cc: netdev <netdev@...r.kernel.org>, linux-hams@...r.kernel.org
Subject: Re: possible rose recvmsg behavior change after msg_namelen fixes
On Fri, Dec 20, 2013 at 05:02:07PM +0100, Florian Westphal wrote:
> Hi.
>
> recvmsg handler in net/rose/af_rose.c performs size-check
> on ->msg_namelen:
>
> if (msg->msg_namelen >= sizeof(struct full_sockaddr_rose)) {
> /* something */
> } else {
> /* else */
> }
>
> Now that msg_namelen is zeroed before the handler calls we always
> hit the 'else' branch.
>
> TBH i don't comprehend how this was/is supposed to work.
>
> Could someone who is familiar with AF_ROSE look at this, before
> I send untested patch that blindly chops off code?
Good catch, thanks!
If in doubt I would just replace msg->msg_namelen with sizeof(struct
sockaddr_storage) and do manual constant folding. ;)
I still have some patches in this area (somehow validating msg_namelen before
calling down to recvmsg, so that we don't dequeue a skb if the msg_name logic
would error out when writing the result back to user space).
The patch is still a mess but maybe we can pass the actual user-supplied
msg_namelen down then, eventually.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists