[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1490056423.4770.6.camel@decadent.org.uk>
Date: Tue, 21 Mar 2017 00:33:43 +0000
From: Ben Hutchings <ben@...adent.org.uk>
To: Eric Dumazet <eric.dumazet@...il.com>,
Anarcheuz Fritz <anarcheuz@...il.com>
Cc: davem@...emloft.net, security@...nel.org, netdev@...r.kernel.org
Subject: Re: PROBLEM: null-ptr deref in ip_options_echo may lead to denial
of service
On Sun, 2017-03-19 at 22:25 -0700, Eric Dumazet wrote:
> On Mon, 2017-03-20 at 12:59 +0800, Anarcheuz Fritz wrote:
> > Hi David,
> >
> >
> > While working on some legacy kernel I stumbled upon a null-ptr deref in
> > ip_options_echo. The bug has been verified on the latest version
> > 3.2.87 from the supported long-term branch.
> >
>
> Fixed in commit 34b2cef20f19c87999fff3da4071e66937db9644
> ("ipv4: keep skb->dst around in presence of IP options")
>
> For 3.2, since d826eb14ecef was not backported, following patch should
> do it.
>
> (Bug origin was f84af32cbca70 ("net: ip_queue_rcv_skb() helper"))
I see, I thought the vulnerability was introduced by d826eb14ecef.
> diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
> index b3648bbef0da..a6e1eeb02267 100644
> --- a/net/ipv4/ip_sockglue.c
> +++ b/net/ipv4/ip_sockglue.c
> @@ -1009,7 +1009,8 @@ e_inval:
> */
> int ip_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
> {
> - if (!(inet_sk(sk)->cmsg_flags & IP_CMSG_PKTINFO))
> + if (!(inet_sk(sk)->cmsg_flags & IP_CMSG_PKTINFO) &&
> + !IPCB(skb)->opt.optlen)
> skb_dst_drop(skb);
> return sock_queue_rcv_skb(sk, skb);
> }
Thanks to both of you; I'll queue this up for 3.2.
Ben.
--
Ben Hutchings
Power corrupts. Absolute power is kind of neat.
- John Lehman, Secretary of the US Navy
1981-1987
Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists