[PATCH] 2.4: [PPPOE]: memory leak when socket is release()d before PPPIOCGCHAN has been called on it

All of lore.kernel.org
 help / color / mirror / Atom feed

From: dann frazier <dannf@hp.com>
To: Willy TARREAU <w@1wt.eu>
Cc: Florian Zumbiehl <florz@florz.de>, linux-kernel@vger.kernel.org
Subject: [PATCH] 2.4: [PPPOE]: memory leak when socket is release()d before PPPIOCGCHAN has been called on it
Date: Wed, 6 Feb 2008 18:41:17 -0700	[thread overview]
Message-ID: <20080207014117.GA14829@ldl.fc.hp.com> (raw)

This is a 2.4 backport of a linux-2.6 change by Florian Zumbiehl.
(commit 202a03acf9994076055df40ae093a5c5474ad0bd)

CVE-2007-2525 was assigned for this issue. It has been compile tested-only.

Commit log from 2.6 follows.

  below you find a patch that fixes a memory leak when a PPPoE socket is
  release()d after it has been connect()ed, but before the PPPIOCGCHAN ioctl
  ever has been called on it.

  This is somewhat of a security problem, too, since PPPoE sockets can be
  created by any user, so any user can easily allocate all the machine's
  RAM to non-swappable address space and thus DoS the system.

  Is there any specific reason for PPPoE sockets being available to any
  unprivileged process, BTW? After all, you need a packet socket for the
  discovery stage anyway, so it's unlikely that any unprivileged process
  will ever need to create a PPPoE socket, no? Allocating all session IDs
  for a known AC is a kind of DoS, too, after all - with Juniper ERXes,
  this is really easy, actually, since they don't ever assign session ids
  above 8000 ...

Signed-off-by: dann frazier <dannf@hp.com>
---
 drivers/net/pppox.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/drivers/net/pppox.c b/drivers/net/pppox.c
index 7830e4d..4883c0f 100644
--- a/drivers/net/pppox.c
+++ b/drivers/net/pppox.c
@@ -67,7 +67,7 @@ void pppox_unbind_sock(struct sock *sk)
 {
 	/* Clear connection to ppp device, if attached. */

-	if (sk->state & (PPPOX_BOUND|PPPOX_ZOMBIE)) {
+	if (sk->state & (PPPOX_BOUND | PPPOX_CONNECTED | PPPOX_ZOMBIE)) {
 		ppp_unregister_channel(&sk->protinfo.pppox->chan);
 		sk->state = PPPOX_DEAD;
 	}
-- 
1.5.3.7

                 reply	other threads:[~2008-02-07  1:41 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:7830e4d dfblob:4883c0f )
 OR (
bs:"[PATCH] 2.4: [PPPOE]: memory leak when socket is release()d before PPPIOCGCHAN has been called on it" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20080207014117.GA14829@ldl.fc.hp.com \
    --to=dannf@hp.com \
    --cc=florz@florz.de \
    --cc=linux-kernel@vger.kernel.org \
    --cc=w@1wt.eu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.