[Secure-testing-team] [linux-2.6] Fix signedness issues in
net/core/filter.c
Florian Weimer
fw at deneb.enyo.de
Tue Oct 25 15:35:19 UTC 2005
Is the issue described below already on your radar screen? I couldn't
find it in the relevant files. AFAICT, no CVE name has been assigned.
commit 4717ecd49ce5c556d38e8c7b6fdc9fac5d35c00e
Author: Patrick McHardy <kaber at trash.net>
Date: Mon Jul 18 06:52:50 2005 +0200
[PATCH] Fix signedness issues in net/core/filter.c
This is the code to load packet data into a register:
k = fentry->k;
if (k < 0) {
...
} else {
u32 _tmp, *p;
p = skb_header_pointer(skb, k, 4, &_tmp);
if (p != NULL) {
A = ntohl(*p);
continue;
}
}
skb_header_pointer checks if the requested data is within the
linear area:
int hlen = skb_headlen(skb);
if (offset + len <= hlen)
return skb->data + offset;
When offset is within [INT_MAX-len+1..INT_MAX] the addition will
result in a negative number which is <= hlen.
I couldn't trigger a crash on my AMD64 with 2GB of memory, but a
coworker tried on his x86 machine and it crashed immediately.
This patch fixes the check in skb_header_pointer to handle large
positive offsets similar to skb_copy_bits. Invalid data can still
be accessed using negative offsets (also similar to skb_copy_bits),
anyone using negative offsets needs to verify them himself.
Thanks to Thomas Vögtle <thomas.voegtle at coreworks.de> for verifying the
problem by crashing his machine and providing me with an Oops.
Signed-off-by: Patrick McHardy <kaber at trash.net>
Signed-off-by: Chris Wright <chrisw at osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
More information about the Secure-testing-team
mailing list