lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <578574E4.5050704@iogearbox.net>
Date:	Wed, 13 Jul 2016 00:53:24 +0200
From:	Daniel Borkmann <daniel@...earbox.net>
To:	Willem de Bruijn <willemdebruijn.kernel@...il.com>,
	netdev@...r.kernel.org
CC:	alexei.starovoitov@...il.com, davem@...emloft.net,
	hannes@...essinduktion.org, eric.dumazet@...il.com,
	Willem de Bruijn <willemb@...gle.com>
Subject: Re: [PATCH net 2/2] dccp: limit sk_filter trim to payload

On 07/13/2016 12:18 AM, Willem de Bruijn wrote:
> From: Willem de Bruijn <willemb@...gle.com>
>
> Dccp verifies packet integrity, including length, at initial rcv in
> dccp_invalid_packet, later pulls headers in dccp_enqueue_skb.
>
> A call to sk_filter in-between can cause __skb_pull to wrap skb->len.
> skb_copy_datagram_msg interprets this as a negative value, so
> (correctly) fails with EFAULT. The negative length is reported in
> ioctl SIOCINQ or possibly in a DCCP_WARN in dccp_close.
>
> Introduce an sk_receive_skb variant that caps how small a filter
> program can trim packets, and call this in dccp with the header
> length. Excessively trimmed packets are now processed normally and
> queued for reception as 0B payloads.
>
> Fixes: 7c657876b63c ("[DCCP]: Initial implementation")
> Signed-off-by: Willem de Bruijn <willemb@...gle.com>

LGTM, thanks Willem!

Acked-by: Daniel Borkmann <daniel@...earbox.net>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ