[SECURITY] L2TP send buffer allocation size overflows

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Dan Rosenberg <drosenberg@vsecurity.com>
To: jchapman@katalix.com
Cc: netdev@vger.kernel.org, security@kernel.org
Subject: [SECURITY] L2TP send buffer allocation size overflows
Date: Sun, 31 Oct 2010 14:14:44 -0400	[thread overview]
Message-ID: <1288548884.3090.14.camel@Dan> (raw)

Both PPPoL2TP (in net/l2tp/l2tp_ppp.c, pppol2tp_sendmsg()) and IPoL2TP
(in net/l2tp/l2tp_ip.c, l2tp_ip_sendmsg()) make calls to sock_wmalloc()
that perform arithmetic on the size argument without any maximum bound.
As a result, by issuing sendto() calls with very large sizes, this
allocation size will wrap and result in a small buffer being allocated,
leading to ugliness immediately after (probably kernel panics due to bad
sk_buff tail position, but possibly kernel heap corruption).

This issue was just fixed in the core code with:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=253eacc070b114c2ec1f81b067d2fed7305467b0

Even though this won't be an issue for much longer, it should still be
fixed here just in case any paths to calling these functions with large
sizes are left open.

-Dan

                 reply	other threads:[~2010-10-31 18:14 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1288548884.3090.14.camel@Dan \
    --to=drosenberg@vsecurity.com \
    --cc=jchapman@katalix.com \
    --cc=netdev@vger.kernel.org \
    --cc=security@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).