lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <ea5c5e46-568b-2fe2-d1ab-f1131240ab4e@gmail.com>
Date:   Tue, 22 Jan 2019 18:51:45 -0800
From:   Eric Dumazet <eric.dumazet@...il.com>
To:     Jacob Wen <jian.w.wen@...cle.com>, netdev@...r.kernel.org
Cc:     jchapman@...alix.com
Subject: Re: [PATCH net-next v1] l2tp: fix reading optional fields



On 01/22/2019 06:30 PM, Jacob Wen wrote:
> Use pskb_may_pull() to make sure the optional fields are in skb linear
> parts.
> 
> Signed-off-by: Jacob Wen <jian.w.wen@...cle.com>
> ---
> v1: fix warning: ISO C90 forbids mixed declarations and code
> ---
>  net/l2tp/l2tp_core.c | 12 +++++++++++-
>  1 file changed, 11 insertions(+), 1 deletion(-)
> 
> diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
> index 26f1d435696a..c0dfa2bcd218 100644
> --- a/net/l2tp/l2tp_core.c
> +++ b/net/l2tp/l2tp_core.c
> @@ -627,6 +627,8 @@ void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb,
>  
>  	/* Parse and check optional cookie */
>  	if (session->peer_cookie_len > 0) {
> +		if (!pskb_may_pull(skb, ptr - optr + session->peer_cookie_len))
> +			goto discard;

This is completely buggy.

After pskb_may_pull(), the ptr and optr pointers might point to freed data.

So the memcmp() might crash hard.

>  		if (memcmp(ptr, &session->peer_cookie[0], session->peer_cookie_len)) {
>  			l2tp_info(tunnel, L2TP_MSG_DATA,
>  				  "%s: cookie mismatch (%u/%u). Discarding.\n",
> @@ -649,6 +651,8 @@ void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb,
>  	L2TP_SKB_CB(skb)->has_seq = 0;
>  	if (tunnel->version == L2TP_HDR_VER_2) {
>  		if (hdrflags & L2TP_HDRFLAG_S) {
> +			if (!pskb_may_pull(skb, ptr - optr + 4))
> +				goto discard;
>  			ns = ntohs(*(__be16 *) ptr);
>  			ptr += 2;
>  			nr = ntohs(*(__be16 *) ptr);
> @@ -663,8 +667,12 @@ void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb,
>  				 session->name, ns, nr, session->nr);
>  		}
>  	} else if (session->l2specific_type == L2TP_L2SPECTYPE_DEFAULT) {
> -		u32 l2h = ntohl(*(__be32 *) ptr);
> +		u32 l2h;
> +
> +		if (!pskb_may_pull(skb, ptr - optr + 4))
> +			goto discard;
>  
> +		l2h = ntohl(*(__be32 *) ptr);
>  		if (l2h & 0x40000000) {
>  			ns = l2h & 0x00ffffff;
>  
> @@ -729,6 +737,8 @@ void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb,
>  	if (tunnel->version == L2TP_HDR_VER_2) {
>  		/* If offset bit set, skip it. */
>  		if (hdrflags & L2TP_HDRFLAG_O) {
> +			if (!pskb_may_pull(skb, ptr - optr + 2))
> +				goto discard;
>  			offset = ntohs(*(__be16 *)ptr);
>  			ptr += 2 + offset;
>  		}
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ