Re: [PATCH v2] sctp: prevent reading out-of-bounds memory

From: Vlad Yasevich
Date: Wed Sep 08 2010 - 16:19:18 EST

Next message: Rafael J. Wysocki: "Re: [Bug #16626] Machine hangs with EIP at skb_copy_and_csum_dev"
Previous message: Alan Stern: "Re: [RFC][PATCH] PM / Wakeup: Introduce wakeup source objects andevent statistics (was: Re: Wakeup-events implementation)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 09/03/2010 01:21 PM, Dan Rosenberg wrote:
> Two user-controlled allocations in SCTP are subsequently dereferenced
> as sockaddr structs, without checking if the dereferenced struct
> members fall beyond the end of the allocated chunk. There doesn't
> appear to be any information leakage here based on how these members
> are used and additional checking, but it's still worth fixing.
>
>
> Signed-off-by: Dan Rosenberg <dan.j.rosenberg@xxxxxxxxx>
>

Acked-By: Vlad Yasevich <vladislav.yasevich@xxxxxx>

-vlad

> --- linux-2.6.35.4.orig/net/sctp/socket.c 2010-09-03
> 08:58:48.127080114 -0400
> +++ linux-2.6.35.4/net/sctp/socket.c 2010-09-03 11:52:28.239595395 -0400
> @@ -916,6 +916,12 @@ SCTP_STATIC int sctp_setsockopt_bindx(st
> /* Walk through the addrs buffer and count the number of addresses. */
> addr_buf = kaddrs;
> while (walk_size < addrs_size) {
> +
> + if (walk_size + sizeof(sa_family_t) > addrs_size) {
> + kfree(kaddrs);
> + return -EINVAL;
> + }
> +
> sa_addr = (struct sockaddr *)addr_buf;
> af = sctp_get_af_specific(sa_addr->sa_family);
>
> @@ -1002,9 +1008,14 @@ static int __sctp_connect(struct sock* s
> /* Walk through the addrs buffer and count the number of addresses. */
> addr_buf = kaddrs;
> while (walk_size < addrs_size) {
> +
> + if (walk_size + sizeof(sa_family_t) > addrs_size) {
> + err = -EINVAL;
> + goto out_free;
> + }
> +
> sa_addr = (union sctp_addr *)addr_buf;
> af = sctp_get_af_specific(sa_addr->sa.sa_family);
> - port = ntohs(sa_addr->v4.sin_port);
>
> /* If the address family is not supported or if this address
> * causes the address buffer to overflow return EINVAL.
> @@ -1013,6 +1024,8 @@ static int __sctp_connect(struct sock* s
> err = -EINVAL;
> goto out_free;
> }
> +
> + port = ntohs(sa_addr->v4.sin_port);
>
> /* Save current address so we can work with it */
> memcpy(&to, sa_addr, af->sockaddr_len);
> --
> To unsubscribe from this list: send the line "unsubscribe linux-sctp" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Rafael J. Wysocki: "Re: [Bug #16626] Machine hangs with EIP at skb_copy_and_csum_dev"
Previous message: Alan Stern: "Re: [RFC][PATCH] PM / Wakeup: Introduce wakeup source objects andevent statistics (was: Re: Wakeup-events implementation)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]