Full Disclosure mailing list archives
Re: Linux Kernel sctp_setsockopt() Integer Overflow
From: Jirka Kosina <jikos () jikos cz>
Date: Sat, 29 May 2004 05:13:17 +0200 (CEST)
On Thu, 27 May 2004, Michael Tokarev wrote:
I was wrong reading the above code, simple as that. Sure, kmalloc(0) will NOT return NULL as I claimed. if (size > csizep->cs_size) continue; Here, when size == 0 (and csizep->cs_size is always > 0), the condition is always false, so the next instruction will be executed, which is: return __kmem_cache_alloc(flags & GFP_DMA ? csizep->cs_dmacachep : csizep->cs_cachep, flags); which will allocate either 32 or 64 bytes of memory (depending on the arch) and return it to the caller. So there IS a bug, exactly as described in the original advisory. I wonder why noone replied... ;)
Because this all is debate about nothing, as the original advisory was fake, because you simply can't pass negative optlen to setsockopt() syscall, so there is nothing to be exploited. asmlinkage long sys_setsockopt(int fd, int level, int optname, char __user *optval, { int err; struct socket *sock; if (optlen < 0) return -EINVAL; ... -- JiKos. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Linux Kernel sctp_setsockopt() Integer Overflow Shaun Colley (May 11)
- Re: Linux Kernel sctp_setsockopt() Integer Overflow Tom Rini (May 11)
- Re: Linux Kernel sctp_setsockopt() Integer Overflow Stefan Esser (May 11)
- Re: Linux Kernel sctp_setsockopt() Integer Overflow Michael Tokarev (May 15)
- Re: Re: Linux Kernel sctp_setsockopt() Integer Overflow Jirka Kosina (May 15)
- Re: Re: Linux Kernel sctp_setsockopt() Integer Overflow Stefan Esser (May 15)
- Re: Linux Kernel sctp_setsockopt() Integer Overflow Evgeny Demidov (May 15)
- Re: Linux Kernel sctp_setsockopt() Integer Overflow Michael Tokarev (May 27)
- Re: Linux Kernel sctp_setsockopt() Integer Overflow Jirka Kosina (May 28)
- Re: Linux Kernel sctp_setsockopt() Integer Overflow Michael Tokarev (May 28)
- Re: Linux Kernel sctp_setsockopt() Integer Overflow Michael Tokarev (May 28)
- Re: Linux Kernel sctp_setsockopt() Integer Overflow Michael Tokarev (May 28)
- Re: Re: Linux Kernel sctp_setsockopt() Integer Overflow Jirka Kosina (May 15)