Re: Re: CVE-2009-1265 kernel: af_rose/x25: Sanity check the maximum user frame size

[Willy Tarreau <w () 1wt eu>]

On Thu, Apr 23, 2009 at 09:08:05AM +0200, Willy Tarreau wrote:
> On Thu, Apr 23, 2009 at 02:54:06PM +0800, Eugene Teo wrote:
> > Willy Tarreau wrote:
> > > Hi Eugene,
> > >
> > > On Wed, Apr 08, 2009 at 03:58:55PM +0800, Eugene Teo wrote:
> > > > {nr,rose,x25}_sendmsg() functions need to have sanity checks on the
> > > > packet size, otherwise the sizes can wrap and end up sending garbage.
> > > >
> > > > http://bugzilla.kernel.org/show_bug.cgi?id=10423
> > > > http://git.kernel.org/linus/83e0bbcbe2145f160fbaa109b0439dae7f4a38a9
> > > > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1265
> > > >
> > > > This affects both 2.4.x and 2.6.x if CONFIG_{NETROM,ROSE,X25} are enabled.
> > >
> > > I already have it in my queue, just did not have time to merge it yet.
> > > Thanks for the reminder anyway, I really appreciate it ;-)
> >
> > You will need this too :)
> >
> > upstream commit: cc29c70dd581f85ee7a3e7980fb031f90b90a2ab
> >
> > Patch "af_rose/x25: Sanity check the maximum user frame size"
> > (commit 83e0bbcbe2145f160fbaa109b0439dae7f4a38a9) from Alan Cox got
> > locking wrong. If we bail out due to user frame size being too large,
> > we must unlock the socket beforehand.
>
> OK thanks Eugene!
> Willy

Just checked, but nr_sendmsg() does not use lock_sock()/release_sock() in
2.4, so the patch above did not bring any regression. I don't know if this
lock is needed there. It has always been there in 2.6 and never in 2.4.
Either it's a long-time missed patch or just not needed here. I won't touch
it as I have no way to test it and nobody complains ;-)

Regards,
Willy