[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 9 Sep 2020 10:19:24 +0300
From: Dan Carpenter <dan.carpenter@...cle.com>
To: nan chen <whutchennan@...il.com>
Cc: Krzysztof Halasa <khc@...waw.pl>, Jakub Kicinski <kuba@...nel.org>,
security@...nel.org, Greg KH <greg@...ah.com>,
"David S. Miller" <davem@...emloft.net>, netdev@...r.kernel.org
Subject: Re: [PATCH] hdlc_ppp: add range checks in ppp_cp_parse_cr()
On Wed, Sep 09, 2020 at 05:37:37AM +0800, nan chen wrote:
> Looks like the judgment of len <sizeof(valid_accm) has a problem.
> The judgment cannot avoid the memory overflow of the memcpy below.
> case LCP_OPTION_ACCM: /* async control character
> map */
> + if (len < sizeof(valid_accm))
> + goto err_out;
> Assume that the initial value of len is 10.Then the length of 'out' memory
> is 10.
> And assume the value of opt[1] in each loop is 2.
> Then it will loop 3 times.
> 3 times memcpy will cause the 'out' memory to be overwritten by 18 bytes (
> > 10 bytes). This will be memory overflow.
>
> I think the correct way is to judge the value of opt[1] like this:
> . case LCP_OPTION_ACCM: /* async control character
> map */
> + if (opt[1] < sizeof(valid_accm))
> + goto err_out;
>
Yeah. You're right. The "nak_len" count would grow faster than it
should leading to memory corruption. I'll resend.
regards,
dan carpenter
Powered by blists - more mailing lists