From: Dan Rosenberg <drosenberg@vsecurity.com>
To: davem@davemloft.net
Cc: security@kernel.org, netdev@vger.kernel.org
Subject: [SECURITY] DECnet: need to validate user data and access data?
Date: Mon, 21 Mar 2011 19:41:41 -0400 [thread overview]
Message-ID: <1300750901.1813.15.camel@dan> (raw)
In net/decnet/af_decnet.c, in the dn_access_copy() and dn_user_copy()
functions, which are called from dn_connect(), length values are
retrieved from incoming skb data and used as size values to copy
functions:
static void dn_access_copy(struct sk_buff *skb, struct accessdata_dn *acc)
{
unsigned char *ptr = skb->data;
acc->acc_userl = *ptr++;
memcpy(&acc->acc_user, ptr, acc->acc_userl);
ptr += acc->acc_userl;
acc->acc_passl = *ptr++;
memcpy(&acc->acc_pass, ptr, acc->acc_passl);
ptr += acc->acc_passl;
acc->acc_accl = *ptr++;
memcpy(&acc->acc_acc, ptr, acc->acc_accl);
skb_pull(skb, acc->acc_accl + acc->acc_passl + acc->acc_userl + 3);
}
static void dn_user_copy(struct sk_buff *skb, struct optdata_dn *opt)
{
unsigned char *ptr = skb->data;
u16 len = *ptr++; /* yes, it's 8bit on the wire */
BUG_ON(len > 16); /* we've checked the contents earlier */
opt->opt_optl = cpu_to_le16(len);
opt->opt_status = 0;
memcpy(opt->opt_data, ptr, len);
skb_pull(skb, len + 1);
}
Despite the BUG_ON and comment suggesting these lengths have been
validated, I don't think this is actually the case - it looks like these
fields are validated for outbound data, but I see no validation for
inbound data (unless I'm mistaken, which is entirely possible). If this
is the case, this can allow remote attackers to cause controllable heap
corruption. I'd appreciate it if someone who knows this protocol better
than I do took a look at this and implemented appropriate error handling
if it needs it.
Thanks,
Dan
next reply other threads:[~2011-03-21 23:41 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-03-21 23:41 Dan Rosenberg [this message]
2011-03-22 7:42 ` [Security] [SECURITY] DECnet: need to validate user data and access data? Eugene Teo
2011-03-22 9:13 ` Steven Whitehouse
2011-03-22 9:21 ` David Miller
2011-03-22 11:01 ` Dan Rosenberg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1300750901.1813.15.camel@dan \
--to=drosenberg@vsecurity.com \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=security@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).