From: Philipp Matthias Hahn <pmhahn@titan.lahn.de>
To: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Cc: <linux-irda@pasta.cs.UiT.No>
Subject: [PATCH] Re: [CHECKER] 52 probable security holes in 2.4.6 and 2.4.6-ac2
Date: Sun, 15 Jul 2001 17:40:23 +0200 (CEST) [thread overview]
Message-ID: <Pine.LNX.4.33.0107141239420.6232-100000@localhost> (raw)
In-Reply-To: <Pine.GSO.4.31.0107131616290.8768-100000@myth9.Stanford.EDU>
Hi Dag, Jean, LKML!
On Fri, 13 Jul 2001, Kenneth Michael Ashcraft wrote:
> These errors occur because user input (data from copy_from_user, get_user,
> etc.) is used without being checked in the following ways:
...
> 1 | /home/kash/linux/2.4.6-ac2/net/irda/af_irda.c/
...
> ---------------------------------------------------------
> [BUG] looks like it
> /home/kash/linux/2.4.6-ac2/net/irda/af_irda.c:2064:irda_getsockopt: ERROR:RANGE:2063:2064: Using user length "(null)" as argument to "copy_to_user" [type=LOCAL] [state = need_lb] [linkages -> 2063:len:start] [distance=3]
> sizeof(struct irda_device_info);
>
> /* Copy the list itself */
> total = offset + (list.len * sizeof(struct irda_device_info));
> if (total > len)
> Start --->
> total = len;
> Error --->
> if (copy_to_user(optval+offset, discoveries, total - offset))
> err = -EFAULT;
>
> /* Write total number of bytes used back to client */
> ---------------------------------------------------------
Here's the pacth for review: The old check look's quiet bogus, because
optlen is a pointer.
The check was plain wrong.
--- /usr/src/linux-2.4.7/net/irda/af_irda.c~ Thu Jul 12 14:21:06 2001
+++ /usr/src/linux-2.4.7/net/irda/af_irda.c Sat Jul 14 12:36:07 2001
@@ -2035,7 +2035,7 @@
if (get_user(len, optlen))
return -EFAULT;
- if(optlen < 0)
+ if(len < 0)
return -EINVAL;
switch (optname) {
BYtE
Philipp
--
/ / (_)__ __ ____ __ Philipp Hahn
/ /__/ / _ \/ // /\ \/ /
/____/_/_//_/\_,_/ /_/\_\ pmhahn@titan.lahn.de
next prev parent reply other threads:[~2001-07-15 16:03 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2001-07-13 23:20 [CHECKER] 52 probable security holes in 2.4.6 and 2.4.6-ac2 Kenneth Michael Ashcraft
2001-07-14 12:01 ` Alan Cox
2001-07-15 15:40 ` Philipp Matthias Hahn [this message]
2001-07-16 15:56 ` Jeff Hartmann
2001-07-16 18:26 ` Andreas Dilger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Pine.LNX.4.33.0107141239420.6232-100000@localhost \
--to=pmhahn@titan.lahn.de \
--cc=linux-irda@pasta.cs.UiT.No \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).