[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20150730120025.GB2456@localhost.localdomain>
Date: Thu, 30 Jul 2015 09:00:25 -0300
From: Marcelo Ricardo Leitner <marcelo.leitner@...il.com>
To: David Miller <davem@...emloft.net>
Cc: netdev@...r.kernel.org, vyasevich@...il.com
Subject: Re: [PATCH net] sctp: fix sockopt size check
On Wed, Jul 29, 2015 at 05:07:31PM -0700, David Miller wrote:
> From: Marcelo Ricardo Leitner <marcelo.leitner@...il.com>
> Date: Tue, 28 Jul 2015 11:16:23 -0300
>
> > The problem is not on being bigger than what we want, but on being
> > smaller, as it causes read of invalid memory.
> >
> > Note that the struct changes on commit 7e8616d8e773 didn't affect
> > sctp_setsockopt_events one but that's where this check was flipped.
> >
> > Fixes: 7e8616d8e773 ("[SCTP]: Update AUTH structures to match
> > declarations in draft-16.")
> > Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@...il.com>
>
> This makes things worse.
>
> The copy_from_user() call is bounded by optlen, so if you allow it to
> be any arbitrary large value the user can write past the end of the
> structure, corrupting kernel memory.
Indeed. I should have changed copy_from_user() to copy the size of the
struct too. But then the issue I thought there was, there isn't and it
just allows partial updates, as it won't read any further than optlen.
> No, the test is correct, or at least necessary, as-is.
Yes. Please drop this. Thanks.
Marcelo
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists