oss-sec mailing list archives

CVE-2009-2903 kernel: appletalk: denial of service when handling IP tunnelled over DDP datagrams

From: Eugene Teo <eugeneteo () kernel sg>
Date: Mon, 14 Sep 2009 08:57:02 +0800

The check for the ipddpN device in the handle_ip_over_ddp() functionreturns -NODEV to the atalk_rcv() function when the device does notexist. The atalk_rcv() function then directly returns that value to itscaller. There is a missing call to kfree_skb() in these unacceptedIP-DDP datagram that can exhaust the kernel memory eventually. Itaffects Linux hosts with appletalk and ipddp modules loaded, that areattached to the same link. Thanks to Mark Smith for reporting this issueto us.


net-next-2.6 commit:

http://git.kernel.org/?p=linux/kernel/git/davem/net-next-2.6.git;a=commit;h=ffcfb8db540ff879c2a85bf7e404954281443414


Possible mitigation method:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2903#c3

Reference:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2903
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blob;f=Documentation/networking/ipddp.txt;h=661a5558dd8e928f15771c07ef34b3ee9cb81e57;hb=HEAD

Greg, this should go to -stable.

Willy, this affects upstream 2.4 I believe.

Thanks, Eugene

Current thread:

CVE-2009-2903 kernel: appletalk: denial of service when handling IP tunnelled over DDP datagrams Eugene Teo (Sep 13)
- Re: CVE-2009-2903 kernel: appletalk: denial of service when handling IP tunnelled over DDP datagrams Willy Tarreau (Sep 13)
- Re: CVE-2009-2903 kernel: appletalk: denial of service when handling IP tunnelled over DDP datagrams Eugene Teo (Sep 16)
  - Re: CVE-2009-2903 kernel: appletalk: denial of service when handling IP tunnelled over DDP datagrams Eugene Teo (Sep 17)