From: David Miller <davem@davemloft.net>
To: xi.wang@gmail.com
Cc: vladislav.yasevich@hp.com, linux-kernel@vger.kernel.org,
sri@us.ibm.com, linux-sctp@vger.kernel.org,
netdev@vger.kernel.org, security@kernel.org
Subject: Re: [PATCH v2] sctp: better integer overflow check in sctp_auth_create_key()
Date: Tue, 29 Nov 2011 14:35:28 -0500 (EST) [thread overview]
Message-ID: <20111129.143528.342322755.davem@davemloft.net> (raw)
In-Reply-To: <125BB325-72D4-4FEF-A5CC-118680EC78D2@gmail.com>
From: Xi Wang <xi.wang@gmail.com>
Date: Tue, 29 Nov 2011 14:26:30 -0500
> The check from commit 30c2235c is incomplete and cannot prevent
> cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the
> left-hand side of the check (INT_MAX - key_len), which is unsigned,
> becomes 0xffffffff (UINT_MAX) and bypasses the check.
>
> However this shouldn't be a security issue. The function is called
> from the following two code paths:
>
> 1) setsockopt()
>
> 2) sctp_auth_asoc_set_secret()
>
> In case (1), sca_keylength is never going to exceed 65535 since it's
> bounded by a u16 from the user API. As such, the key length will
> never overflow.
>
> In case (2), sca_keylength is computed based on the user key (1 short)
> and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still
> will not overflow.
>
> In other words, this overflow check is not really necessary. Just
> make it more correct.
>
> Signed-off-by: Xi Wang <xi.wang@gmail.com>
> Cc: Vlad Yasevich <vladislav.yasevich@hp.com>
I already applied your patch, you cannot just post a patch as if
it hasn't been applied to the tree, it doesn't work like that.
Once I've applied one of your patches, it is "cast in stone" and
cannot be reverted. You must therefore develop relative to the
change.
prev parent reply other threads:[~2011-11-29 19:33 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <426D7BA8-ECD0-44D6-A09F-2033F0C825FC@gmail.com>
2011-11-28 15:45 ` [PATCH] sctp: integer overflow in sctp_auth_create_key() Vladislav Yasevich
2011-11-29 7:33 ` Xi Wang
2011-11-29 15:03 ` Vladislav Yasevich
2011-11-29 19:24 ` Xi Wang
2011-11-29 19:26 ` [PATCH v2] sctp: better integer overflow check " Xi Wang
2011-11-29 19:35 ` David Miller [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20111129.143528.342322755.davem@davemloft.net \
--to=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-sctp@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=security@kernel.org \
--cc=sri@us.ibm.com \
--cc=vladislav.yasevich@hp.com \
--cc=xi.wang@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox