From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
"Theodore Ts'o" <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
Chris Wedgwood <reviews@ml.cw.f00f.org>,
Michael Krufky <mkrufky@linuxtv.org>,
Chuck Ebbert <cebbert@redhat.com>,
torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk, bunk@stusta.de,
Arnaldo Carvalho de Melo <acme@ghostprotocols.net>,
"David S. Miller" <davem@davemloft.net>
Subject: [patch 14/37] DCCP: Fix exploitable hole in DCCP socket options
Date: Fri, 30 Mar 2007 14:04:42 -0700 [thread overview]
Message-ID: <20070330210442.GP29450@kroah.com> (raw)
In-Reply-To: <20070330210334.GA29450@kroah.com>
[-- Attachment #1: dccp-fix-exploitable-hole-in-dccp-socket-options.patch --]
[-- Type: text/plain, Size: 1356 bytes --]
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Arnaldo Carvalho de Melo <acme@ghostprotocols.net>
[DCCP] getsockopt: Fix DCCP_SOCKOPT_[SEND,RECV]_CSCOV
We were only checking if there was enough space to put the int, but
left len as specified by the (malicious) user, sigh, fix it by setting
len to sizeof(val) and transfering just one int worth of data, the one
asked for.
Also check for negative len values.
Signed-off-by: Arnaldo Carvalho de Melo <acme@ghostprotocols.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
net/dccp/proto.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/net/dccp/proto.c
+++ b/net/dccp/proto.c
@@ -575,7 +575,7 @@ static int do_dccp_getsockopt(struct soc
if (get_user(len, optlen))
return -EFAULT;
- if (len < sizeof(int))
+ if (len < (int)sizeof(int))
return -EINVAL;
dp = dccp_sk(sk);
@@ -589,9 +589,11 @@ static int do_dccp_getsockopt(struct soc
(__be32 __user *)optval, optlen);
case DCCP_SOCKOPT_SEND_CSCOV:
val = dp->dccps_pcslen;
+ len = sizeof(val);
break;
case DCCP_SOCKOPT_RECV_CSCOV:
val = dp->dccps_pcrlen;
+ len = sizeof(val);
break;
case 128 ... 191:
return ccid_hc_rx_getsockopt(dp->dccps_hc_rx_ccid, sk, optname,
--
next prev parent reply other threads:[~2007-03-30 21:21 UTC|newest]
Thread overview: 57+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20070330205938.984247529@mini.kroah.org>
2007-03-30 21:03 ` [patch 00/37] 2.6.20-stable review Greg KH
2007-03-30 21:03 ` [patch 01/37] ide: clear bmdma status in ide_intr() for ICHx controllers (revised #4) Greg KH
2007-03-30 21:03 ` [patch 02/37] ide: remove clearing bmdma status from cdrom_decode_status() (rev #4) Greg KH
2007-03-30 21:03 ` [patch 03/37] sata_nv: delay on switching between NCQ and non-NCQ commands Greg KH
2007-03-30 21:04 ` [patch 04/37] UML - fix epoll Greg KH
2007-03-30 21:04 ` [patch 05/37] UML - host VDSO fix Greg KH
2007-03-30 21:04 ` [patch 06/37] UML - Fix static linking Greg KH
2007-03-30 21:04 ` Greg KH
2007-03-31 1:21 ` [uml-devel] " Blaisorblade
2007-03-30 21:04 ` [patch 07/37] UML - use correct register file size everywhere Greg KH
2007-03-30 21:04 ` [patch 08/37] uml: fix unreasonably long udelay Greg KH
2007-03-30 21:04 ` [patch 09/37] ieee1394: dv1394: fix CardBus card ejection Greg KH
2007-03-30 21:04 ` [patch 10/37] NET: Fix packet classidier NULL pointer OOPS Greg KH
2007-03-30 21:04 ` [patch 11/37] NET_SCHED: Fix ingress qdisc locking Greg KH
2007-03-30 21:04 ` [patch 12/37] IPV6: Fix ipv6 round-robin locking Greg KH
2007-03-30 21:04 ` [patch 13/37] PPP: Fix PPP skb leak Greg KH
2007-03-30 21:04 ` Greg KH [this message]
2007-03-30 21:04 ` [patch 15/37] VIDEO: Fix FFB DAC revision probing Greg KH
2007-03-30 21:04 ` [patch 16/37] NET: Fix sock_attach_fd() failure in sys_accept() Greg KH
2007-03-30 21:04 ` Greg KH
2007-03-30 21:04 ` [patch 17/37] SPARC: Fix sparc builds with gcc-4.2.x Greg KH
2007-03-30 21:05 ` [patch 18/37] Fix decnet endianness Greg KH
2007-03-30 21:05 ` [patch 19/37] NET: Fix FIB rules compatability Greg KH
2007-03-30 21:05 ` [patch 20/37] DVB: fix nxt200x rf input switching Greg KH
2007-03-30 21:05 ` [patch 21/37] V4L: radio: Fix error in Kbuild file Greg KH
2007-03-30 21:05 ` [patch 22/37] V4L: Fix SECAM handling on saa7115 Greg KH
2007-03-30 21:06 ` [patch 23/37] V4L: msp_attach must return 0 if no msp3400 was found Greg KH
2007-03-30 21:06 ` [patch 24/37] DVB: isl6421: dont reference freed memory Greg KH
2007-03-30 21:06 ` [patch 25/37] dvb-core: fix several locking related problems Greg KH
2007-03-30 21:06 ` [patch 26/37] V4L: saa7146: Fix allocation of clipping memory Greg KH
2007-03-30 21:06 ` [patch 27/37] jmicron: make ide jmicron driver play nice with libata ones Greg KH
2007-03-30 21:06 ` [patch 28/37] i2o: block IO errors on i2o disk Greg KH
2007-03-30 21:06 ` [patch 29/37] ide: revert "ide: fix drive side 80c cable check, take 2" for now Greg KH
2007-03-30 21:06 ` [patch 30/37] CIFS: Allow reset of file to ATTR_NORMAL when archive bit not set Greg KH
2007-03-30 21:06 ` [patch 31/37] CIFS: reset mode when client notices that ATTR_READONLY is no longer set Greg KH
2007-03-30 21:06 ` [patch 32/37] CRYPTO: api: scatterwalk_copychunks() fails to advance through scatterlist Greg KH
2007-03-31 1:41 ` Patrick McHardy
2007-03-31 2:14 ` Herbert Xu
2007-03-31 2:31 ` Patrick McHardy
2007-03-31 3:11 ` Greg KH
2007-03-31 3:45 ` Herbert Xu
2007-03-31 21:35 ` J. Bruce Fields
2007-03-30 21:06 ` [patch 33/37] libata: clear TF before IDENTIFYing Greg KH
2007-03-30 21:06 ` [patch 34/37] libata bugfix: HDIO_DRIVE_TASK Greg KH
2007-03-30 21:42 ` Mark Lord
2007-03-30 21:59 ` Greg KH
2007-03-30 21:45 ` libata bugfix: preserve LBA bit for HDIO_DRIVE_TASK Mark Lord
2007-03-31 3:36 ` Tejun Heo
2007-03-31 16:55 ` Mark Lord
2007-03-31 17:05 ` Tejun Heo
2007-04-04 6:08 ` Jeff Garzik
2007-03-30 21:07 ` [patch 35/37] libata: sata_mv: dont touch reserved bits in EDMA config register Greg KH
2007-03-30 21:07 ` [patch 36/37] libata: sata_mv: Fix 50xx irq mask Greg KH
2007-03-30 21:07 ` [patch 37/37] generic_serial: fix decoding of baud rate Greg KH
2007-03-30 21:10 ` [patch 00/37] 2.6.20-stable review Greg KH
2007-04-04 14:28 ` Chuck Ebbert
2007-04-04 21:23 ` [stable] " Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20070330210442.GP29450@kroah.com \
--to=gregkh@suse.de \
--cc=acme@ghostprotocols.net \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=bunk@stusta.de \
--cc=cebbert@redhat.com \
--cc=chuckw@quantumlinux.com \
--cc=davej@redhat.com \
--cc=davem@davemloft.net \
--cc=jmforbes@linuxtx.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mkrufky@linuxtv.org \
--cc=rdunlap@xenotime.net \
--cc=reviews@ml.cw.f00f.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
--cc=zwane@arm.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox