Full Disclosure mailing list archives
Re: Linux Kernel sctp_setsockopt() Integer Overflow
From: Michael Tokarev <mjt () tls msk ru>
Date: Sat, 15 May 2004 22:24:25 +0400
Shaun Colley wrote: []
Below is the vulnerable call: --- if (NULL == (tmp = kmalloc(optlen + 1, GFP_KERNEL))) { retval = -ENOMEM; goto out_unlock; } --- Because kmalloc() takes the 'count' variable as an unsigned number, negative numbers are interpreted as large unsigned numbers. However, if -1 is passed as 'optlen' (represented as 0xffffffff (hex) in unsigned variables, which is the largest value an unsigned
.... []
And thus, due to the integer overflow, 0 is passed to kmalloc(), causing too little memory to be allocated to hold 'optval'.
But kmalloc(0) will return NULL, and the whole setsockopt will finish with errno set to ENOMEM. From 2.4 mm/slab.c: void * kmalloc (size_t size, int flags) { cache_sizes_t *csizep = cache_sizes; for (; csizep->cs_size; csizep++) { if (size > csizep->cs_size) continue; return __kmem_cache_alloc(flags & GFP_DMA ? csizep->cs_dmacachep : csizep->cs_cachep, flags); } return NULL; } So, where's the bug? /mjt _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Linux Kernel sctp_setsockopt() Integer Overflow Shaun Colley (May 11)
- Re: Linux Kernel sctp_setsockopt() Integer Overflow Tom Rini (May 11)
- Re: Linux Kernel sctp_setsockopt() Integer Overflow Stefan Esser (May 11)
- Re: Linux Kernel sctp_setsockopt() Integer Overflow Michael Tokarev (May 15)
- Re: Re: Linux Kernel sctp_setsockopt() Integer Overflow Jirka Kosina (May 15)
- Re: Re: Linux Kernel sctp_setsockopt() Integer Overflow Stefan Esser (May 15)
- Re: Linux Kernel sctp_setsockopt() Integer Overflow Evgeny Demidov (May 15)
- Re: Linux Kernel sctp_setsockopt() Integer Overflow Michael Tokarev (May 27)
- Re: Linux Kernel sctp_setsockopt() Integer Overflow Jirka Kosina (May 28)
- Re: Linux Kernel sctp_setsockopt() Integer Overflow Michael Tokarev (May 28)
- Re: Linux Kernel sctp_setsockopt() Integer Overflow Michael Tokarev (May 28)
- Re: Linux Kernel sctp_setsockopt() Integer Overflow Michael Tokarev (May 28)
- Re: Re: Linux Kernel sctp_setsockopt() Integer Overflow Jirka Kosina (May 15)