* [SECURITY] L2TP send buffer allocation size overflows
@ 2010-10-31 18:14 Dan Rosenberg
0 siblings, 0 replies; only message in thread
From: Dan Rosenberg @ 2010-10-31 18:14 UTC (permalink / raw)
To: jchapman; +Cc: netdev, security
Both PPPoL2TP (in net/l2tp/l2tp_ppp.c, pppol2tp_sendmsg()) and IPoL2TP
(in net/l2tp/l2tp_ip.c, l2tp_ip_sendmsg()) make calls to sock_wmalloc()
that perform arithmetic on the size argument without any maximum bound.
As a result, by issuing sendto() calls with very large sizes, this
allocation size will wrap and result in a small buffer being allocated,
leading to ugliness immediately after (probably kernel panics due to bad
sk_buff tail position, but possibly kernel heap corruption).
This issue was just fixed in the core code with:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=253eacc070b114c2ec1f81b067d2fed7305467b0
Even though this won't be an issue for much longer, it should still be
fixed here just in case any paths to calling these functions with large
sizes are left open.
-Dan
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2010-10-31 18:14 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-10-31 18:14 [SECURITY] L2TP send buffer allocation size overflows Dan Rosenberg
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.