[Secure-testing-team] e1000: Potential packet filtering bypass
Ben Hutchings
ben at decadent.org.uk
Thu Jan 7 19:12:36 UTC 2010
Package: linux-2.6
Version: 2.6.32-4
Severity: normal
Tags: patch security
Fabian Yamaguchi made a presentation at 26C3
<http://events.ccc.de/congress/2009/Fahrplan/events/3596.en.html> which
included a bug in e1000 related to this fix for CVE-2009-1385:
commit ea30e11970a96cfe5e32c03a29332554573b4a10
Author: Neil Horman <nhorman at tuxdriver.com>
Date: Tue Jun 2 01:29:58 2009 -0700
e1000: add missing length check to e1000 receive routine
The bug is that the last part of a scattered frame will be accepted so
long as it is longer than 4 bytes. This can be used to evade packet
filtering in front of the host with the e1000 hardware, since the packet
filter will look at the real frame headers but Linux will see the
'headers' in this last part.
Personally I doubt that many packet filters are configured to allow
jumbo frames through, hence severity is only 'normal'.
A proposed fix was posted in:
<http://article.gmane.org/gmane.linux.network/148454>
We should get a separate CVE number for this bug.
Ben.
-- System Information:
Debian Release: squeeze/sid
APT prefers proposed-updates
APT policy: (500, 'proposed-updates'), (500, 'unstable'), (500,
'stable'), (1, 'experimental')
Architecture: i386 (x86_64)
Kernel: Linux 2.6.32-trunk-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
--
Ben Hutchings
To err is human; to really foul things up requires a computer.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 828 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20100107/63526289/attachment.pgp>
More information about the Secure-testing-team
mailing list