lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date:   Wed, 9 Sep 2020 10:19:24 +0300
From:   Dan Carpenter <dan.carpenter@...cle.com>
To:     nan chen <whutchennan@...il.com>
Cc:     Krzysztof Halasa <khc@...waw.pl>, Jakub Kicinski <kuba@...nel.org>,
        security@...nel.org, Greg KH <greg@...ah.com>,
        "David S. Miller" <davem@...emloft.net>, netdev@...r.kernel.org
Subject: Re: [PATCH] hdlc_ppp: add range checks in ppp_cp_parse_cr()

On Wed, Sep 09, 2020 at 05:37:37AM +0800, nan chen wrote:
> Looks like the judgment of len <sizeof(valid_accm) has a problem.
> The judgment cannot avoid the memory overflow of the memcpy below.
>                         case LCP_OPTION_ACCM: /* async control character
> map */
> +                               if (len < sizeof(valid_accm))
> +                                       goto err_out;
> Assume that the initial value of len is 10.Then the length of 'out' memory
> is 10.
> And assume the value of opt[1] in each loop is 2.
> Then it will loop 3 times.
> 3 times memcpy will cause the 'out' memory to be overwritten by 18 bytes (
> > 10 bytes). This will be memory overflow.
> 
> I think the correct way is to judge the value of opt[1] like this:
> .                        case LCP_OPTION_ACCM: /* async control character
> map */
> +                               if (opt[1] < sizeof(valid_accm))
> +                                       goto err_out;
> 

Yeah.  You're right.  The "nak_len" count would grow faster than it
should leading to memory corruption.  I'll resend.

regards,
dan carpenter

Powered by blists - more mailing lists