Re: Linux kernel IGMP vulnerabilities (fwd)

From: Chris Wright
Date: Tue Dec 14 2004 - 12:54:57 EST

Next message: Chris Wright: "Re: Linux kernel scm_send local DoS (fwd)"
Previous message: Jesse Barnes: "[PATCH] add legacy I/O and memory access routines to /proc/bus/pci API"
In reply to: Marcos D. Marado Torres: "Linux kernel IGMP vulnerabilities (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Marcos D. Marado Torres (marado@xxxxxxxxxxxxxxxxx) wrote:
> Synopsis: Linux kernel IGMP vulnerabilities
> Product: Linux kernel
> Version: 2.4 up to and including 2.4.28, 2.6 up to and including 2.6.9

Here's a patch for the ip_mc_source trouble. I don't believe the remote
one is valid because nrsrcs is checked against payload, so you won't
ever touch random memory.

===== net/ipv4/igmp.c 1.58 vs edited =====
--- 1.58/net/ipv4/igmp.c 2004-11-09 16:44:25 -08:00
+++ edited/net/ipv4/igmp.c 2004-12-10 15:16:17 -08:00
@@ -1778,12 +1778,12 @@ int ip_mc_source(int add, int omode, str
goto done;
rv = !0;
for (i=0; i<psl->sl_count; i++) {
- rv = memcmp(&psl->sl_addr, &mreqs->imr_multiaddr,
+ rv = memcmp(&psl->sl_addr[i], &mreqs->imr_sourceaddr,
sizeof(__u32));
- if (rv >= 0)
+ if (rv == 0)
break;
}
- if (!rv) /* source not found */
+ if (rv) /* source not found */
goto done;

/* update the interface filter */
@@ -1825,9 +1825,9 @@ int ip_mc_source(int add, int omode, str
}
rv = 1; /* > 0 for insert logic below if sl_count is 0 */
for (i=0; i<psl->sl_count; i++) {
- rv = memcmp(&psl->sl_addr, &mreqs->imr_multiaddr,
+ rv = memcmp(&psl->sl_addr[i], &mreqs->imr_sourceaddr,
sizeof(__u32));
- if (rv >= 0)
+ if (rv == 0)
break;
}
if (rv == 0) /* address already there is an error */
===== net/ipv6/mcast.c 1.71 vs edited =====
--- 1.71/net/ipv6/mcast.c 2004-11-11 15:07:25 -08:00
+++ edited/net/ipv6/mcast.c 2004-12-10 17:20:46 -08:00
@@ -391,12 +391,12 @@ int ip6_mc_source(int add, int omode, st
goto done;
rv = !0;
for (i=0; i<psl->sl_count; i++) {
- rv = memcmp(&psl->sl_addr, group,
+ rv = memcmp(&psl->sl_addr[i], source,
sizeof(struct in6_addr));
- if (rv >= 0)
+ if (rv == 0)
break;
}
- if (!rv) /* source not found */
+ if (rv) /* source not found */
goto done;

/* update the interface filter */
@@ -437,8 +437,8 @@ int ip6_mc_source(int add, int omode, st
}
rv = 1; /* > 0 for insert logic below if sl_count is 0 */
for (i=0; i<psl->sl_count; i++) {
- rv = memcmp(&psl->sl_addr, group, sizeof(struct in6_addr));
- if (rv >= 0)
+ rv = memcmp(&psl->sl_addr[i], source, sizeof(struct in6_addr));
+ if (rv == 0)
break;
}
if (rv == 0) /* address already there is an error */
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Chris Wright: "Re: Linux kernel scm_send local DoS (fwd)"
Previous message: Jesse Barnes: "[PATCH] add legacy I/O and memory access routines to /proc/bus/pci API"
In reply to: Marcos D. Marado Torres: "Linux kernel IGMP vulnerabilities (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]