oss-sec mailing list archives
query on a pppol2tp_recvmsg() fix - security relevant?
From: Marcus Meissner <meissner () suse de>
Date: Wed, 18 Jun 2008 18:18:40 +0200
Hi folks, A customer asks us if the following is a security problem: http://kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.26-rc6 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=6b6707a50c7598a83820077393f8823ab791abf8 -- l2tp: Fix potential memory corruption in pppol2tp_recvmsg() This patch fixes a potential memory corruption in pppol2tp_recvmsg(). If skb->len is bigger than the caller's buffer length, memcpy_toiovec() will go into unintialized data on the kernel heap, interpret it as an iovec and start modifying memory. The fix is to change the memcpy_toiovec() call to skb_copy_datagram_iovec() so that paged packets (rare for PPPOL2TP) are handled properly. Also check that the caller's buffer is big enough for the data and set the MSG_TRUNC flag if it is not so. Reported-by: Ilja <ilja () netric org> Signed-off-by: James Chapman <jchapman () katalix com> Signed-off-by: David S. Miller <davem () davemloft net> Is this a problem? Ciao, Marcus
Current thread:
- query on a pppol2tp_recvmsg() fix - security relevant? Marcus Meissner (Jun 18)
- Re: query on a pppol2tp_recvmsg() fix - security relevant? Eren Türkay (Jun 18)
- Re: query on a pppol2tp_recvmsg() fix - security relevant? Jan Lieskovsky (Jun 19)
- Re: query on a pppol2tp_recvmsg() fix - security relevant? Steven M. Christey (Jun 23)
- Re: query on a pppol2tp_recvmsg() fix - security relevant? Jan Lieskovsky (Jun 19)
- Re: query on a pppol2tp_recvmsg() fix - security relevant? Eren Türkay (Jun 18)