From: Ben Hutchings <ben@decadent.org.uk>
To: Jiri Bohac <jbohac@suse.cz>
Cc: Dan Rosenberg <drosenberg@vsecurity.com>,
ralf@linux-mips.org, davem@davemloft.net, netdev@vger.kernel.org,
security@kernel.org
Subject: Re: [PATCH v2] ROSE: prevent heap corruption with bad facilities
Date: Sun, 03 Apr 2011 05:23:10 +0100 [thread overview]
Message-ID: <1301804590.4157.53.camel@localhost> (raw)
In-Reply-To: <20110331180225.GA6677@midget.suse.cz>
[-- Attachment #1: Type: text/plain, Size: 1505 bytes --]
On Thu, 2011-03-31 at 20:02 +0200, Jiri Bohac wrote:
[...]
> This last hunk does not look correct. In the default branch of
> the switch, you set len = 1, which means
> p += 2; facilities_len -= 2.
>
> The original code does
> facilities_len--; p++;
> ... and it looks correct. So, to get the old behaviour back:
>
> diff --git a/net/rose/rose_subr.c b/net/rose/rose_subr.c
> index f6c71ca..9777700 100644
> --- a/net/rose/rose_subr.c
> +++ b/net/rose/rose_subr.c
> @@ -418,7 +418,7 @@ int rose_parse_facilities(unsigned char *p, unsigned packet_len,
>
> default:
> printk(KERN_DEBUG "ROSE: rose_parse_facilities - unknown facilities family %02X\n", *p);
> - len = 1;
> + len = 0;
> break;
> }
Yes, agreed.
> However, I wonder how much sense it makes to continue parsing the
> facilities if an unknown facility family appears. We don't know
> the length of its data, so we will interpret each 16 bytes a new
> facilities header, hopefully soon bailing out on *p != 0x00.
>
> In case of a long packet where every other byte is zero, the loop
> will spam the kernel log with the printk ... which could probably
> be classified as a security problem on its own. So how about the
> following instead? I have no idea if this breaks some rose
> specification, though.
[...]
I don't know any more than you do; maybe Ralf knows or can find out.
Ben.
--
Ben Hutchings
Once a job is fouled up, anything done to improve it makes it worse.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 828 bytes --]
next prev parent reply other threads:[~2011-04-03 4:23 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-03-20 6:43 [PATCH v2] ROSE: prevent heap corruption with bad facilities Dan Rosenberg
2011-03-20 16:48 ` Ben Hutchings
2011-03-28 0:59 ` David Miller
2011-03-29 1:16 ` Ben Hutchings
2011-03-29 16:26 ` Ralf Baechle
2011-03-31 18:02 ` Jiri Bohac
2011-04-01 12:29 ` Jiri Bohac
2011-04-02 4:41 ` David Miller
2011-04-05 8:20 ` Jiri Bohac
2011-04-03 4:23 ` Ben Hutchings [this message]
2011-03-28 0:59 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1301804590.4157.53.camel@localhost \
--to=ben@decadent.org.uk \
--cc=davem@davemloft.net \
--cc=drosenberg@vsecurity.com \
--cc=jbohac@suse.cz \
--cc=netdev@vger.kernel.org \
--cc=ralf@linux-mips.org \
--cc=security@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).