Minor net/core/sock.c security issue?

From: Chris Evans (chris@scary.beasts.org)
Date: Mon Jul 23 2001 - 17:24:19 EST

Next message: Andrea Arcangeli: "Re: user-mode port 0.44-2.4.7"
Previous message: Jerome de Vivie: "Re: Yet another linux filesytem: with version control"
Next in thread: David S. Miller: "Re: Minor net/core/sock.c security issue?"
Reply: David S. Miller: "Re: Minor net/core/sock.c security issue?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

May be nothing, but it looks like SO_*BUF may have signedness issues (have
these been picked up by the Stanford tools and fixed in recent 2.4.x?)

    int val;
...
    case SO_SNDBUF:
      if (val > sysctl_wmem_max)
        val = sysctl_wmem_max;
      sk->sndbuf = max(val*2,2048);

If val is negative, then sk->sndbuf ends up negative. This is because the
arguments to max are passed as _unsigned_ ints. SO_RCVBUF has similar
issues. Maybe a nasty local user could use this to chew up memory?

Cheers
Chris

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Andrea Arcangeli: "Re: user-mode port 0.44-2.4.7"
Previous message: Jerome de Vivie: "Re: Yet another linux filesytem: with version control"
Next in thread: David S. Miller: "Re: Minor net/core/sock.c security issue?"
Reply: David S. Miller: "Re: Minor net/core/sock.c security issue?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Mon Jul 23 2001 - 21:00:17 EST