| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 15 Nov 2018 00:11:55 +0900
From: Xin Long <lucien.xin@...il.com>
To: Neil Horman <nhorman@...driver.com>
Cc: network dev <netdev@...r.kernel.org>, linux-sctp@...r.kernel.org,
Marcelo Ricardo Leitner <marcelo.leitner@...il.com>,
davem <davem@...emloft.net>
Subject: Re: [PATCHv2 net-next 1/4] sctp: define subscribe in sctp_sock as __u16
On Wed, Nov 14, 2018 at 2:16 AM Neil Horman <nhorman@...driver.com> wrote:
>
> On Tue, Nov 13, 2018 at 02:24:53PM +0800, Xin Long wrote:
> >
> > /* Default Peer Address Parameters. These defaults can
> > * be modified via SCTP_PEER_ADDR_PARAMS
> > @@ -5267,14 +5274,24 @@ static int sctp_getsockopt_disable_fragments(struct sock *sk, int len,
> > static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval,
> > int __user *optlen)
> > {
> > + struct sctp_event_subscribe subscribe;
> > + __u8 *sn_type = (__u8 *)&subscribe;
> > + int i;
> > +
> > if (len == 0)
> > return -EINVAL;
> > if (len > sizeof(struct sctp_event_subscribe))
> > len = sizeof(struct sctp_event_subscribe);
> > if (put_user(len, optlen))
> > return -EFAULT;
> > - if (copy_to_user(optval, &sctp_sk(sk)->subscribe, len))
> > +
> > + for (i = 0; i <= len; i++)
> > + sn_type[i] = sctp_ulpevent_type_enabled(sctp_sk(sk)->subscribe,
> > + SCTP_SN_TYPE_BASE + i);
> > +
> This seems like an off by one error. sctp_event_subscribe has N bytes in it (1
> byte for each event), meaning that that events 0-(N-1) are subscribable.
> Iterating this loop imples that you are going to check N events, overrunning the
> sctp_event_subscribe struct.
you're right, thanks.
>
> Neil
>
> >
Powered by blists - more mailing lists