| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 14 Dec 2019 17:21:26 -0800
From: Jakub Kicinski <jakub.kicinski@...ronome.com>
To: Taehee Yoo <ap420073@...il.com>
Cc: davem@...emloft.net, pablo@...filter.org, laforge@...monks.org,
osmocom-net-gprs@...ts.osmocom.org, netdev@...r.kernel.org
Subject: Re: [PATCH net 0/4] gtp: fix several bugs in gtp module
On Wed, 11 Dec 2019 08:22:43 +0000, Taehee Yoo wrote:
> This patchset fixes several bugs in the GTP module.
>
> 1. Do not allow adding duplicate TID and ms_addr pdp context.
> In the current code, duplicate TID and ms_addr pdp context could be added.
> So, RX and TX path could find correct pdp context.
>
> 2. Fix wrong condition in ->dumpit() callback.
> ->dumpit() callback is re-called if dump packet size is too big.
> So, before return, it saves last position and then restart from
> last dump position.
> TID value is used to find last dump position.
> GTP module allows adding zero TID value. But ->dumpit() callback ignores
> zero TID value.
> So, dump would not work correctly if dump packet size too big.
>
> 3. Fix use-after-free in ipv4_pdp_find().
> RX and TX patch always uses gtp->tid_hash and gtp->addr_hash.
> but while packet processing, these hash pointer would be freed.
> So, use-after-free would occur.
>
> 4. Fix panic because of zero size hashtable
> GTP hashtable size could be set by user-space.
> If hashsize is set to 0, hashtable will not work and panic will occur.
Looks good to me, thank you, applied and queued for stable.
Powered by blists - more mailing lists