| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 08 Mar 2016 15:05:17 -0500 (EST) From: David Miller <davem@...emloft.net> To: marcelo.leitner@...il.com Cc: netdev@...r.kernel.org, dvyukov@...gle.com, nhorman@...driver.com, vyasevich@...il.com, linux-sctp@...r.kernel.org, linux-kernel@...r.kernel.org, syzkaller@...glegroups.com, kcc@...gle.com, glider@...gle.com, sasha.levin@...cle.com, edumazet@...gle.com, lkp@...el.com, fengguang.wu@...el.com Subject: Re: [PATCH net v2] sctp: fix copying more bytes than expected in sctp_add_bind_addr From: Marcelo Ricardo Leitner <marcelo.leitner@...il.com> Date: Tue, 8 Mar 2016 10:34:28 -0300 > Dmitry reported that sctp_add_bind_addr may read more bytes than > expected in case the parameter is a IPv4 addr supplied by the user > through calls such as sctp_bindx_add(), because it always copies > sizeof(union sctp_addr) while the buffer may be just a struct > sockaddr_in, which is smaller. > > This patch then fixes it by limiting the memcpy to the min between the > union size and a (new parameter) provided addr size. Where possible this > parameter still is the size of that union, except for reading from > user-provided buffers, which then it accounts for protocol type. > > Reported-by: Dmitry Vyukov <dvyukov@...gle.com> > Tested-by: Dmitry Vyukov <dvyukov@...gle.com> > Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@...il.com> Applied, thanks.
Powered by blists - more mailing lists