| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20191127080850.2707eef0@hermes.lan>
Date: Wed, 27 Nov 2019 08:08:50 -0800
From: Stephen Hemminger <stephen@...workplumber.org>
To: netdev@...r.kernel.org
Subject: Fw: [Bug 205681] New: recvmg is overwriting the buffer passed in
msg_name by exceeding msg_namelen
Begin forwarded message:
Date: Wed, 27 Nov 2019 06:36:50 +0000
From: bugzilla-daemon@...zilla.kernel.org
To: stephen@...workplumber.org
Subject: [Bug 205681] New: recvmg is overwriting the buffer passed in msg_name by exceeding msg_namelen
https://bugzilla.kernel.org/show_bug.cgi?id=205681
Bug ID: 205681
Summary: recvmg is overwriting the buffer passed in msg_name by
exceeding msg_namelen
Product: Networking
Version: 2.5
Kernel Version: 5.4,4.0,3.0,2.6
Hardware: All
OS: Linux
Tree: Mainline
Status: NEW
Severity: high
Priority: P1
Component: IPV4
Assignee: stephen@...workplumber.org
Reporter: sudheendrasp@...il.com
Regression: No
if (msg->msg_name) {
struct sockaddr_rxrpc *srx = msg->msg_name;
size_t len = sizeof(call->peer->srx);
memcpy(msg->msg_name, &call->peer->srx, len);
srx->srx_service = call->service_id;
msg->msg_namelen = len;
}
As seen, recvmsg is doing memcpy of len which can be greater than msg_namelen
passed.
--
You are receiving this mail because:
You are the assignee for the bug.
Powered by blists - more mailing lists