| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 14 Apr 2014 07:53:33 +0200 From: Mathias Krause <minipli@...glemail.com> To: David Miller <davem@...emloft.net> Cc: netdev@...r.kernel.org, Patrick McHardy <kaber@...sh.net>, Pablo Neira Ayuso <pablo@...filter.org> Subject: Re: [PATCH net] filter: prevent nla extensions to peek beyond the end of the message On 14 April 2014 05:33, David Miller <davem@...emloft.net> wrote: > From: Mathias Krause <minipli@...glemail.com> > Date: Sun, 13 Apr 2014 18:23:33 +0200 > >> The BPF_S_ANC_NLATTR and BPF_S_ANC_NLATTR_NEST extensions fail to check >> for a minimal message length before testing the supplied offset to be >> within the bounds of the message. This allows the subtraction of the nla >> header to underflow and therefore -- as the data type is unsigned -- >> allowing far to big offset and length values for the search of the >> netlink attribute. >> >> The remainder calculation for the BPF_S_ANC_NLATTR_NEST extension is >> also wrong. It has the minuend und subtrahend mixed up, therefore > > I translated the German into English here, re: und --> and :-) > Ups! :D Thanks for the review! Cheers, Mathias -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists