lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAFcO6XMo2rFJqb1zZyPgEDtChLHNq26WfhAd5WC+9NMnRNM8uw@mail.gmail.com>
Date:   Fri, 27 Aug 2021 23:35:31 +0800
From:   butt3rflyh4ck <butterflyhuangxx@...il.com>
To:     Dan Carpenter <dan.carpenter@...cle.com>
Cc:     Manivannan Sadhasivam <mani@...nel.org>,
        Loic Poulain <loic.poulain@...aro.org>,
        "David S. Miller" <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>,
        Bjorn Andersson <bjorn.andersson@...aro.org>,
        linux-arm-msm@...r.kernel.org, netdev@...r.kernel.org
Subject: Re: [PATCH net-next] net: qrtr: make checks in qrtr_endpoint_post() stricter

On Fri, Aug 27, 2021 at 9:24 PM Dan Carpenter <dan.carpenter@...cle.com> wrote:
>
> These checks are still not strict enough.  The main problem is that if
> "cb->type == QRTR_TYPE_NEW_SERVER" is true then "len - hdrlen" is
> guaranteed to be 4 but we need to be at least 16 bytes.  In fact, we
> can reject everything smaller than sizeof(*pkt) which is 20 bytes.
>
> Also I don't like the ALIGN(size, 4).  It's better to just insist that
> data is needs to be aligned at the start.
>
> Fixes: 0baa99ee353c ("net: qrtr: Allow non-immediate node routing")
> Signed-off-by: Dan Carpenter <dan.carpenter@...cle.com>
> ---
> This was from review.  Not tested.
>
>  net/qrtr/qrtr.c | 8 ++++++--
>  1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/net/qrtr/qrtr.c b/net/qrtr/qrtr.c
> index b8508e35d20e..dbb647f5481b 100644
> --- a/net/qrtr/qrtr.c
> +++ b/net/qrtr/qrtr.c
> @@ -493,7 +493,7 @@ int qrtr_endpoint_post(struct qrtr_endpoint *ep, const void *data, size_t len)
>                 goto err;
>         }
>

> -       if (!size || len != ALIGN(size, 4) + hdrlen)
> +       if (!size || size % 3 || len != size + hdrlen)

Hi, (size % 3)  is wrong, is it (size & 3), right ?

>                 goto err;
>
>         if (cb->dst_port != QRTR_PORT_CTRL && cb->type != QRTR_TYPE_DATA &&
> @@ -506,8 +506,12 @@ int qrtr_endpoint_post(struct qrtr_endpoint *ep, const void *data, size_t len)
>
>         if (cb->type == QRTR_TYPE_NEW_SERVER) {
>                 /* Remote node endpoint can bridge other distant nodes */
> -               const struct qrtr_ctrl_pkt *pkt = data + hdrlen;
> +               const struct qrtr_ctrl_pkt *pkt;
>
> +               if (size < sizeof(*pkt))

Yes, the size should not be smaller than sizeof(*pkt).

> +                       goto err;
> +
> +               pkt = data + hdrlen;
>                 qrtr_node_assign(node, le32_to_cpu(pkt->server.node));
>         }
>
> --
> 2.20.1
>


Regards,
  butt3rflyh4ck

-- 
Active Defense Lab of Venustech

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ