From: Vlad Yasevich <vladislav.yasevich@hp.com>
To: David Miller <davem@davemloft.net>
Cc: netdev@vger.kernel.org, linux-sctp@vger.kernel.org
Subject: Re: [PATCH]: SCTP length validation.
Date: Mon, 23 Jun 2008 11:59:43 -0400 [thread overview]
Message-ID: <485FC86F.4090808@hp.com> (raw)
In-Reply-To: <20080622.123232.71141502.davem@davemloft.net>
David Miller wrote:
> From: Vlad Yasevich <vladislav.yasevich@hp.com>
> Date: Sat, 21 Jun 2008 11:55:19 -0400
>
>> The same vulnerability also exists in sctp_getsockopt_peer_addrs_old().
>> It's a bit more difficult to trigger since there is a dependency on
>> the peer being multihomed as well, but it's still possible to cause the
>> overwrite.
>
> I can't see how that's possible. This case looks harmless to
> me.
>
> The kernel side accesses are perfectly protected. The kernel
> will only access the actual address list stored via:
>
> list_for_each_entry(from, &asoc->peer.transport_addr_list,
> transports) {
> ...
> cnt ++;
> if (cnt >= getaddrs.addr_num) break;
> }
> getaddrs.addr_num = cnt;
>
> Copies are only made to userspace, and the given ->addr_num only
> serves as an early break-out from that loop. I mean, take a look,
> those lines in the above are the only aaccesses made to the user's
> provided addr_num value.
>
> There is no possibility to use strange ->addr_num values
> in order to read or write kernel memory outside of the
> intended bounds.
>
> I don't even see any value to adding new checks here.
>
You are right. I didn't look far enough. Since there is no kmalloc(),
the overflow of kernel memory is not possible, and copy_to_user should
take care of any overflows of the user memory.
-vlad
next prev parent reply other threads:[~2008-06-23 16:00 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-06-21 5:12 [PATCH]: SCTP length validation David Miller
2008-06-21 15:55 ` Vlad Yasevich
2008-06-22 19:32 ` David Miller
2008-06-23 15:59 ` Vlad Yasevich [this message]
2008-06-23 21:42 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=485FC86F.4090808@hp.com \
--to=vladislav.yasevich@hp.com \
--cc=davem@davemloft.net \
--cc=linux-sctp@vger.kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).