| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20180910121707.419b04bc@shemminger-XPS-13-9360> Date: Mon, 10 Sep 2018 12:17:07 -0700 From: Stephen Hemminger <stephen@...workplumber.org> To: Phil Sutter <phil@....cc> Cc: netdev@...r.kernel.org Subject: Re: [iproute PATCH v2] ip-route: Fix segfault with many nexthops On Thu, 6 Sep 2018 15:31:51 +0200 Phil Sutter <phil@....cc> wrote: > It was possible to crash ip-route by adding an IPv6 route with 37 > nexthop statements. A simple reproducer is: > > | for i in `seq 37`; do > | nhs="nexthop via 1111::$i "$nhs > | done > | ip -6 route add 3333::/64 $nhs > > The related code was broken in multiple ways: > > * parse_one_nh() assumed that rta points to 4kB of storage but caller > provided just 1kB. Fixed by passing 'len' parameter with the correct > value. > > * Error checking of rta_addattr*() calls in parse_one_nh() and called > functions was completely absent, so with above fix in place output > flood would occur due to parser looping forever. > > While being at it, increase message buffer sizes to 4k. This allows for > at most 144 nexthops. > > Signed-off-by: Phil Sutter <phil@....cc> Thanks for fixing this. Shows where more test cases are needed.
Powered by blists - more mailing lists