lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date:   Sat, 22 Apr 2017 09:48:27 -0700
From:   Stephen Hemminger <stephen@...workplumber.org>
To:     jon.maloy@...csson.com, ying.xue@...driver.com
Cc:     netdev@...r.kernel.org
Subject: Fw: [Bug 195503] New: tipc: unchecked return value of nlmsg_new()
 in function tipc_nl_node_get_monitor()



Begin forwarded message:

Date: Sat, 22 Apr 2017 14:56:25 +0000
From: bugzilla-daemon@...zilla.kernel.org
To: stephen@...workplumber.org
Subject: [Bug 195503] New: tipc: unchecked return value of nlmsg_new() in function tipc_nl_node_get_monitor()


https://bugzilla.kernel.org/show_bug.cgi?id=195503

            Bug ID: 195503
           Summary: tipc: unchecked return value of nlmsg_new() in
                    function tipc_nl_node_get_monitor()
           Product: Networking
           Version: 2.5
    Kernel Version: linux-4.11-rc7
          Hardware: All
                OS: Linux
              Tree: Mainline
            Status: NEW
          Severity: normal
          Priority: P1
         Component: Other
          Assignee: stephen@...workplumber.org
          Reporter: bianpan2010@....edu.cn
        Regression: No

Function nlmsg_new() will return a NULL pointer if there is no enough memory.
In function tipc_nl_node_get_monitor(), the return value of nlmsg_new() is not
checked (see line 2100), which may result in bad memory access. 
tipc_nl_node_get_monitor @@ net/tipc/node.c
2094 int tipc_nl_node_get_monitor(struct sk_buff *skb, struct genl_info *info)
2095 {
2096     struct net *net = sock_net(skb->sk);
2097     struct tipc_nl_msg msg;
2098     int err;
2099 
2100     msg.skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2101     msg.portid = info->snd_portid;
2102     msg.seq = info->snd_seq;
2103 
2104     err = __tipc_nl_add_monitor_prop(net, &msg);
2105     if (err) {
2106         nlmsg_free(msg.skb);
2107         return err;
2108     }
2109 
2110     return genlmsg_reply(msg.skb, info);
2111 }

Generally, the return value of nlmsg_new() should be checked against NULL, as
follows.
nfc_genl_target_lost @@ net/nfc/netlink.c: 
 213 int nfc_genl_target_lost(struct nfc_dev *dev, u32 target_idx)
 214 {
 215     struct sk_buff *msg;
 216     void *hdr;
 217 
 218     msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
 219     if (!msg)
 220         return -ENOMEM;
         ...
 237 nla_put_failure:
 238     genlmsg_cancel(msg, hdr);
 239 free_msg:
 240     nlmsg_free(msg);
 241     return -EMSGSIZE;
 242 }


Thanks very much for your attention!

Pan Bian

-- 
You are receiving this mail because:
You are the assignee for the bug.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ