I've hacked your hack to apply cleanly to 2.2.10 stock and tested it
on a dual PII, SMB enabled, the machine don't crash, but the keyboard stop
working after some time and the machine respond to ping, but can't access
the machine remotely. :(
- Arnaldo
--- linux/include/net/tcp.h.orig Wed Jun 16 13:16:43 1999
+++ linux/include/net/tcp.h Fri Jun 18 21:03:37 1999
@@ -121,8 +121,10 @@
struct tcp_bind_bucket *tb;
unsigned short snum = sk->num;
- for(tb = tcp_bound_hash[tcp_bhashfn(snum)]; tb->port != snum; tb = tb->next)
+ for(tb = tcp_bound_hash[tcp_bhashfn(snum)]; tb && (tb->port != snum); tb = tb->next)
;
+ if (!tb)
+ return; // HACK
/* Update bucket flags. */
if(tb->owners == NULL) {
/* We're the first. */
@@ -1074,6 +1076,8 @@
static __inline__ void tcp_sk_unbindify(struct sock *sk)
{
struct tcp_bind_bucket *tb = (struct tcp_bind_bucket *) sk->prev;
+ if (!sk->bind_pprev)
+ return; // HACK
if(sk->bind_next)
sk->bind_next->bind_pprev = sk->bind_pprev;
*sk->bind_pprev = sk->bind_next;
On Sat, 19 Jun 1999, Ingo Molnar wrote:
>
> On Fri, 18 Jun 1999, Brian wrote:
>
> > Just tested, 2.2.5 - 2.2.10 at the least are vulnerable.
>
> i've attached a quick patch against 2.2.10 that at least prevents the box
> from crashing, but this is a completely incorrect fix. I've been running
> the exploit for some 15 minutes now without crashing.
>
> The bug appears to be that a TCP localhost bind bucket disappears
> mysteriously from under a living socket - thus tcp_bindify() within
> tcp_ipv4_rehash finds no bucket and crashes on a NULL ptr. I've also
> hacked unbindify to ignore not bound sockets - an obvious side-effect of
> the first hack. Anyway, with this hack my box doesnt crash anymore from
> the exploit - better than nothing. Maybe the Cc:-ed TCP gods have a better
> idea what is really going on? :)
>
> -- mingo
>
> --- linux/include/net/tcp.h.orig Fri Jun 18 23:47:32 1999
> +++ linux/include/net/tcp.h Sat Jun 19 00:01:58 1999
> @@ -120,8 +120,10 @@
> struct tcp_bind_bucket *tb;
> unsigned short snum = sk->num;
>
> - for(tb = tcp_bhash[tcp_bhashfn(snum)]; tb->port != snum; tb = tb->next)
> + for(tb = tcp_bhash[tcp_bhashfn(snum)]; tb && (tb->port != snum); tb = tb->next)
> ;
> + if (!tb)
> + return; // HACK
> /* Update bucket flags. */
> if(tb->owners == NULL) {
> /* We're the first. */
> @@ -1073,6 +1075,8 @@
> static __inline__ void tcp_sk_unbindify(struct sock *sk)
> {
> struct tcp_bind_bucket *tb = (struct tcp_bind_bucket *) sk->prev;
> + if (!sk->bind_pprev)
> + return; // HACK
> if(sk->bind_next)
> sk->bind_next->bind_pprev = sk->bind_pprev;
> *sk->bind_pprev = sk->bind_next;
>
>
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/