lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CADvbK_couZ5M=mgk9QHLYGP4rgpL51bsSKj2+Qz0Lnc42DOSVg@mail.gmail.com>
Date:   Thu, 15 Nov 2018 00:11:55 +0900
From:   Xin Long <lucien.xin@...il.com>
To:     Neil Horman <nhorman@...driver.com>
Cc:     network dev <netdev@...r.kernel.org>, linux-sctp@...r.kernel.org,
        Marcelo Ricardo Leitner <marcelo.leitner@...il.com>,
        davem <davem@...emloft.net>
Subject: Re: [PATCHv2 net-next 1/4] sctp: define subscribe in sctp_sock as __u16

On Wed, Nov 14, 2018 at 2:16 AM Neil Horman <nhorman@...driver.com> wrote:
>
> On Tue, Nov 13, 2018 at 02:24:53PM +0800, Xin Long wrote:
> >
> >       /* Default Peer Address Parameters.  These defaults can
> >        * be modified via SCTP_PEER_ADDR_PARAMS
> > @@ -5267,14 +5274,24 @@ static int sctp_getsockopt_disable_fragments(struct sock *sk, int len,
> >  static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval,
> >                                 int __user *optlen)
> >  {
> > +     struct sctp_event_subscribe subscribe;
> > +     __u8 *sn_type = (__u8 *)&subscribe;
> > +     int i;
> > +
> >       if (len == 0)
> >               return -EINVAL;
> >       if (len > sizeof(struct sctp_event_subscribe))
> >               len = sizeof(struct sctp_event_subscribe);
> >       if (put_user(len, optlen))
> >               return -EFAULT;
> > -     if (copy_to_user(optval, &sctp_sk(sk)->subscribe, len))
> > +
> > +     for (i = 0; i <= len; i++)
> > +             sn_type[i] = sctp_ulpevent_type_enabled(sctp_sk(sk)->subscribe,
> > +                                                     SCTP_SN_TYPE_BASE + i);
> > +
> This seems like an off by one error.  sctp_event_subscribe has N bytes in it (1
> byte for each event), meaning that that events 0-(N-1) are subscribable.
> Iterating this loop imples that you are going to check N events, overrunning the
> sctp_event_subscribe struct.
you're right, thanks.

>
> Neil
>
> >

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ