possible infinite loop in udp_v4_get_port()

Larry J. Blunk (ljb@publicport.com)
Thu, 21 Oct 1999 15:14:13 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Jamie Lokier: "Re: raw memory & PCI bus access"
Previous message: Rik van Riel: "Re: [linux-kernel] mailing list properties"

It looks like a regular user could cause an infinite loop in
the following section of udp_v4_get_port() through the
judicious grabbing of UDP ports. Basically, the first 128 ports > 1023
(to put an entry in each hash table slot), and then every 128th port
up to the max port number (starting with the current value
of udp_port_rover which can be easily derived). I think there
should be some sort of additional bounding counter on this loop.

for(;; result += UDP_HTABLE_SIZE) {
if (result > sysctl_local_port_range[1])
result = sysctl_local_port_range[0]
+ ((result -
sysctl_local_port_range[0]) &
(UDP_HTABLE_SIZE - 1));
if (!udp_lport_inuse(result))
break;
}

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: Jamie Lokier: "Re: raw memory & PCI bus access"
Previous message: Rik van Riel: "Re: [linux-kernel] mailing list properties"