Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 44830 Details for
Bug 72458
Local DoS using __scm_send (CAN-2004-1016)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch-2.6.x- CAN-2004-1016.patch
patch-2.6.x- CAN-2004-1016.patch (text/plain), 2.77 KB, created by
solar (RETIRED)
on 2004-11-27 07:43:45 UTC
(
hide
)
Description:
patch-2.6.x- CAN-2004-1016.patch
Filename:
MIME Type:
Creator:
solar (RETIRED)
Created:
2004-11-27 07:43:45 UTC
Size:
2.77 KB
patch
obsolete
>===== include/linux/socket.h 1.12 vs edited ===== >--- 1.12/include/linux/socket.h 2004-09-09 06:40:01 +10:00 >+++ edited/include/linux/socket.h 2004-11-27 11:53:40 +11:00 >@@ -90,6 +90,10 @@ > (struct cmsghdr *)(ctl) : \ > (struct cmsghdr *)NULL) > #define CMSG_FIRSTHDR(msg) __CMSG_FIRSTHDR((msg)->msg_control, (msg)->msg_controllen) >+#define CMSG_OK(mhdr, cmsg) ((cmsg)->cmsg_len >= sizeof(struct cmsghdr) && \ >+ (cmsg)->cmsg_len <= (unsigned long) \ >+ ((mhdr)->msg_controllen - \ >+ ((char *)(cmsg) - (char *)(mhdr)->msg_control))) > > /* > * This mess will go away with glibc >===== net/core/scm.c 1.10 vs edited ===== >--- 1.10/net/core/scm.c 2004-05-31 05:08:14 +10:00 >+++ edited/net/core/scm.c 2004-11-27 11:48:55 +11:00 >@@ -127,9 +127,7 @@ > for too short ancillary data object at all! Oops. > OK, let's add it... > */ >- if (cmsg->cmsg_len < sizeof(struct cmsghdr) || >- (unsigned long)(((char*)cmsg - (char*)msg->msg_control) >- + cmsg->cmsg_len) > msg->msg_controllen) >+ if (!CMSG_OK(msg, cmsg)) > goto error; > > if (cmsg->cmsg_level != SOL_SOCKET) >===== net/ipv4/ip_sockglue.c 1.26 vs edited ===== >--- 1.26/net/ipv4/ip_sockglue.c 2004-07-01 06:10:53 +10:00 >+++ edited/net/ipv4/ip_sockglue.c 2004-11-27 11:49:45 +11:00 >@@ -146,11 +146,8 @@ > struct cmsghdr *cmsg; > > for (cmsg = CMSG_FIRSTHDR(msg); cmsg; cmsg = CMSG_NXTHDR(msg, cmsg)) { >- if (cmsg->cmsg_len < sizeof(struct cmsghdr) || >- (unsigned long)(((char*)cmsg - (char*)msg->msg_control) >- + cmsg->cmsg_len) > msg->msg_controllen) { >+ if (!CMSG_OK(msg, cmsg)) > return -EINVAL; >- } > if (cmsg->cmsg_level != SOL_IP) > continue; > switch (cmsg->cmsg_type) { >===== net/ipv6/datagram.c 1.20 vs edited ===== >--- 1.20/net/ipv6/datagram.c 2004-11-10 17:57:03 +11:00 >+++ edited/net/ipv6/datagram.c 2004-11-27 11:51:15 +11:00 >@@ -427,9 +427,7 @@ > int addr_type; > struct net_device *dev = NULL; > >- if (cmsg->cmsg_len < sizeof(struct cmsghdr) || >- (unsigned long)(((char*)cmsg - (char*)msg->msg_control) >- + cmsg->cmsg_len) > msg->msg_controllen) { >+ if (!CMSG_OK(msg, cmsg)) { > err = -EINVAL; > goto exit_f; > } >===== net/sctp/socket.c 1.129 vs edited ===== >--- 1.129/net/sctp/socket.c 2004-11-19 08:43:18 +11:00 >+++ edited/net/sctp/socket.c 2004-11-27 11:52:11 +11:00 >@@ -4098,12 +4098,8 @@ > for (cmsg = CMSG_FIRSTHDR(msg); > cmsg != NULL; > cmsg = CMSG_NXTHDR((struct msghdr*)msg, cmsg)) { >- /* Check for minimum length. The SCM code has this check. */ >- if (cmsg->cmsg_len < sizeof(struct cmsghdr) || >- (unsigned long)(((char*)cmsg - (char*)msg->msg_control) >- + cmsg->cmsg_len) > msg->msg_controllen) { >+ if (!CMSG_OK(msg, cmsg)) > return -EINVAL; >- } > > /* Should we parse this header or ignore? */ > if (cmsg->cmsg_level != IPPROTO_SCTP)
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=44830">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 72458
: 44830
