| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <0b2713a4e53f68f2636687c8caeb5a20803a2a1a.camel@redhat.com>
Date: Thu, 24 Jun 2021 15:15:59 +0200
From: Paolo Abeni <pabeni@...hat.com>
To: Eric Dumazet <eric.dumazet@...il.com>,
"David S . Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>
Cc: netdev <netdev@...r.kernel.org>,
Eric Dumazet <edumazet@...gle.com>,
Tom Herbert <tom@...bertland.com>
Subject: Re: [PATCH v2 net] ipv6: fix out-of-bound access in ip6_parse_tlv()
On Thu, 2021-06-24 at 03:07 -0700, Eric Dumazet wrote:
> From: Eric Dumazet <edumazet@...gle.com>
>
> First problem is that optlen is fetched without checking
> there is more than one byte to parse.
>
> Fix this by taking care of IPV6_TLV_PAD1 before
> fetching optlen (under appropriate sanity checks against len)
>
> Second problem is that IPV6_TLV_PADN checks of zero
> padding are performed before the check of remaining length.
>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Fixes: c1412fce7ecc ("net/ipv6/exthdrs.c: Strict PadN option checking")
> Signed-off-by: Eric Dumazet <edumazet@...gle.com>
> Cc: Paolo Abeni <pabeni@...hat.com>
> Cc: Tom Herbert <tom@...bertland.com>
> ---
> v2: Removed not needed optlen assignment for IPV6_TLV_PAD1 handling,
> added the Fixes: tag for first problem, feedback from Paolo, thanks !
>
> net/ipv6/exthdrs.c | 27 +++++++++++++--------------
> 1 file changed, 13 insertions(+), 14 deletions(-)
>
> diff --git a/net/ipv6/exthdrs.c b/net/ipv6/exthdrs.c
> index 6f7da8f3e2e5849f917853984c69bf02a0f1e27c..26882e165c9e37a105f988020031f03d6b1a5cf9 100644
> --- a/net/ipv6/exthdrs.c
> +++ b/net/ipv6/exthdrs.c
> @@ -135,18 +135,23 @@ static bool ip6_parse_tlv(const struct tlvtype_proc *procs,
> len -= 2;
>
> while (len > 0) {
> - int optlen = nh[off + 1] + 2;
> - int i;
> + int optlen, i;
>
> - switch (nh[off]) {
> - case IPV6_TLV_PAD1:
> - optlen = 1;
> + if (nh[off] == IPV6_TLV_PAD1) {
> padlen++;
> if (padlen > 7)
> goto bad;
> - break;
> + off++;
> + len--;
> + continue;
> + }
> + if (len < 2)
> + goto bad;
> + optlen = nh[off + 1] + 2;
> + if (optlen > len)
> + goto bad;
>
> - case IPV6_TLV_PADN:
> + if (nh[off] == IPV6_TLV_PADN) {
> /* RFC 2460 states that the purpose of PadN is
> * to align the containing header to multiples
> * of 8. 7 is therefore the highest valid value.
> @@ -163,12 +168,7 @@ static bool ip6_parse_tlv(const struct tlvtype_proc *procs,
> if (nh[off + i] != 0)
> goto bad;
> }
> - break;
> -
> - default: /* Other TLV code so scan list */
> - if (optlen > len)
> - goto bad;
> -
> + } else {
> tlv_count++;
> if (tlv_count > max_count)
> goto bad;
> @@ -188,7 +188,6 @@ static bool ip6_parse_tlv(const struct tlvtype_proc *procs,
> return false;
>
> padlen = 0;
> - break;
> }
> off += optlen;
> len -= optlen;
LGTM!
Reviewd-by: Paolo Abeni <pabeni@...hat.com>
Powered by blists - more mailing lists