* [PATCH] tcp: no md5sig option size check bug
@ 2010-08-07 19:17 ` Dmitry Popov
0 siblings, 0 replies; 3+ messages in thread
From: Dmitry Popov @ 2010-08-07 19:17 UTC (permalink / raw)
To: David S. Miller, Alexey Kuznetsov, James Morris, Patrick McHardy,
Hideaki YOSHIFUJI
Cc: Pekka Savola (ipv6),
Gilad Ben-Yossef, Yony Amit, Ori Finkelman, Ilpo Järvinen,
netdev, linux-kernel
From: Dmitry Popov <dp@highloadlab.com>
tcp_parse_md5sig_option doesn't check md5sig option (TCPOPT_MD5SIG)
length, but tcp_v[46]_inbound_md5_hash assume that it's at least 16
bytes long.
Signed-off-by: Dmitry Popov <dp@highloadlab.com>
---
net/ipv4/tcp_input.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 3c426cb..e663b78 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -3930,7 +3930,7 @@ u8 *tcp_parse_md5sig_option(struct tcphdr *th)
if (opsize < 2 || opsize > length)
return NULL;
if (opcode == TCPOPT_MD5SIG)
- return ptr;
+ return opsize == TCPOLEN_MD5SIG ? ptr : NULL;
}
ptr += opsize - 2;
length -= opsize;
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH] tcp: no md5sig option size check bug
@ 2010-08-07 19:17 ` Dmitry Popov
0 siblings, 0 replies; 3+ messages in thread
From: Dmitry Popov @ 2010-08-07 19:17 UTC (permalink / raw)
To: David S. Miller, Alexey Kuznetsov, James Morris, Patrick McHardy,
Hideaki YOSHIFUJI
Cc: Pekka Savola (ipv6),
Gilad Ben-Yossef, Yony Amit, Ori Finkelman, Ilpo Järvinen,
netdev, linux-kernel
From: Dmitry Popov <dp@highloadlab.com>
tcp_parse_md5sig_option doesn't check md5sig option (TCPOPT_MD5SIG)
length, but tcp_v[46]_inbound_md5_hash assume that it's at least 16
bytes long.
Signed-off-by: Dmitry Popov <dp@highloadlab.com>
---
net/ipv4/tcp_input.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 3c426cb..e663b78 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -3930,7 +3930,7 @@ u8 *tcp_parse_md5sig_option(struct tcphdr *th)
if (opsize < 2 || opsize > length)
return NULL;
if (opcode == TCPOPT_MD5SIG)
- return ptr;
+ return opsize == TCPOLEN_MD5SIG ? ptr : NULL;
}
ptr += opsize - 2;
length -= opsize;
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] tcp: no md5sig option size check bug
2010-08-07 19:17 ` Dmitry Popov
(?)
@ 2010-08-08 3:24 ` David Miller
-1 siblings, 0 replies; 3+ messages in thread
From: David Miller @ 2010-08-08 3:24 UTC (permalink / raw)
To: dp
Cc: kuznet, jmorris, kaber, yoshfuji, pekkas, gilad, yony, ori,
ilpo.jarvinen, netdev, linux-kernel
From: Dmitry Popov <dp@highloadlab.com>
Date: Sat, 7 Aug 2010 23:17:52 +0400
> From: Dmitry Popov <dp@highloadlab.com>
>
> tcp_parse_md5sig_option doesn't check md5sig option (TCPOPT_MD5SIG)
> length, but tcp_v[46]_inbound_md5_hash assume that it's at least 16
> bytes long.
>
> Signed-off-by: Dmitry Popov <dp@highloadlab.com>
I'll apply this, but the memcmp() we do against this pointer is always
safe because there's at least skb_shared_info()'s worth of valid
memory past skb->data guarenteed at all times which is much larger
than 16 bytes.
So at worst we'd access garbage, but never past a valid piece of
allocated memory.
Thanks.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2010-08-08 3:24 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-08-07 19:17 [PATCH] tcp: no md5sig option size check bug Dmitry Popov
2010-08-07 19:17 ` Dmitry Popov
2010-08-08 3:24 ` David Miller
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.