[SECURITY,2.4,IPV6]: Fix infinite loop in udp_v6_get_port().

From: Horms
Date: Thu Oct 27 2005 - 01:38:23 EST

Next message: 'David Gibson': "Re: RFC: Cleanup / small fixes to hugetlb fault handling"
Previous message: Ivan Kokshaysky: "Re: AMD 8131 and MSI quirk"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[IPV6]: Fix infinite loop in udp_v6_get_port()

This is CVE-2005-2973, and
87bf9c97b4b3af8dec7b2b79cdfe7bfc0a0a03b2 in Linus' 2.6 Git Tree.
It seems to be relevant to 2.4

[IPV6]: Fix infinite loop in udp_v6_get_port()

Original sign-off

Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@xxxxxxxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>

Mine, indicating that I think it is relevant to 2.4

Signed-off-by: Horms <horms@xxxxxxxxxxxx>

diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
index 471180b..4395aa4 100644
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -89,7 +89,7 @@ static int udp_v6_get_port(struct sock *
next:;
}
result = best;
- for(;; result += UDP_HTABLE_SIZE) {
+ for(i = 0; i < (1 << 16) / UDP_HTABLE_SIZE; i++, result += UDP_HTABLE_SIZE) {
if (result > sysctl_local_port_range[1])
result = sysctl_local_port_range[0]
+ ((result - sysctl_local_port_range[0]) &
@@ -97,6 +97,8 @@ static int udp_v6_get_port(struct sock *
if (!udp_lport_inuse(result))
break;
}
+ if (i >= (1 << 16) / UDP_HTABLE_SIZE)
+ goto fail;
gotit:
udp_port_rover = snum = result;
} else {
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: 'David Gibson': "Re: RFC: Cleanup / small fixes to hugetlb fault handling"
Previous message: Ivan Kokshaysky: "Re: AMD 8131 and MSI quirk"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]