Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 174209 (CVE-2007-1357) - Kernel: [APPLETALK]: Fix a remotely triggerable crash (CVE-2007-1357)
Summary: Kernel: [APPLETALK]: Fix a remotely triggerable crash (CVE-2007-1357)
Status: RESOLVED FIXED
Alias: CVE-2007-1357
Product: Gentoo Security
Classification: Unclassified
Component: Kernel (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://git.kernel.org/?p=linux/kernel...
Whiteboard: [linux < 2.6.20.5][gp < 2.6.20-6] [li...
Keywords:
Depends on:
Blocks:
 
Reported: 2007-04-11 20:18 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2013-09-05 02:54 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-04-11 20:18:37 UTC 
When we receive an AppleTalk frame shorter than what its header says,
 we still attempt to verify its checksum, and trip on the BUG_ON() at
 the end of function atalk_sum_skb() because of the length mismatch.
 
 This has security implications because this can be triggered by simply
 sending a specially crafted ethernet frame to a target victim,
 effectively crashing that host. Thus this qualifies, I think, as a
 remote DoS. Here is the frame I used to trigger the crash, in npg
 format:
 
 <Appletalk Killer>
 {
 # Ethernet header -----
 
   XX XX XX XX XX XX  # Destination MAC
   00 00 00 00 00 00  # Source MAC
   00 1D              # Length
 
 # LLC header -----
 
   AA AA 03
   08 00 07 80 9B  # Appletalk
 
 # Appletalk header -----
 
   00 1B        # Packet length (invalid)
   00 01        # Fake checksum
   00 00 00 00  # Destination and source networks
   00 00 00 00  # Destination and source nodes and ports
 
 # Payload -----
 
   0C 0D 0E 0F 10 11 12 13
   14
 }
 
 The destination MAC address must be set to those of the victim.
 
 The severity is mitigated by two requirements:
 * The target host must have the appletalk kernel module loaded. I
   suspect this isn't so frequent.
 * AppleTalk frames are non-IP, thus I guess they can only travel on
   local networks. I am no network expert though, maybe it is possible
   to somehow encapsulate AppleTalk packets over IP.
 
 The bug has been reported back in June 2004:
   http://bugzilla.kernel.org/show_bug.cgi?id=2979
 But it wasn't investigated, and was closed in July 2006 as both
 reporters had vanished meanwhile.
 
 This code was new in kernel 2.6.0-test5:
   http://git.kernel.org/?p=linux/kernel/git/tglx/history.git;a=commitdiff;h=7ab442d7e0a76402c12553ee256f756097cae2d2
 And not modified since then, so we can assume that vanilla kernels
 2.6.0-test5 and later, and distribution kernels based thereon, are
 affected.
 
 Note that I still do not know for sure what triggered the bug in the
 real-world cases. The frame could have been corrupted by the kernel if
 we have a bug hiding somewhere. But more likely, we are receiving the
 faulty frame from the network.
 
 Signed-off-by: Jean Delvare <jdelvare@suse.de>
 Signed-off-by: David S. Miller <davem@davemloft.net>
Comment 1 unnamedrambler 2008-03-08 19:15:41 UTC 
metadata:
[linux < 2.6.20.5]
f8c08c340b8308ca0afb19d62f71b2b39ccfc9e0

[gp < 2.6.20-6]