Patch for DoS attack in ipc/msg.c

Scott Maxwell (
Mon, 01 Nov 1999 20:57:29 -0800

I'd appreciate a CC on any replies, though I'll follow any discussion

The appended simple two-line patch eliminates a DoS attack against
Linux kernels: if you use msgsnd() to send a 0-length message, the
kernel doesn't "charge" the message to the message queue's max length.
So you can send as many supposedly empty messages as you like, but of
course the kernel still has to allocate the message headers. You can
therefore force the kernel to eat up as much memory as you please.

The patch simply makes the message size 1 if the user claims it's 0
(note that struct msgbuf includes one byte for the message text, so
this should be safe). This shouldn't break any well-behaved apps that
send empty messages -- if there are any such apps -- but it prevents
the DoS attack.

This worked for me in an earlier kernel, though I haven't tested it
running a 2.3.24 kernel yet. Sorry for posting this directly to the
list, BTW -- I didn't see a clear maintainer for the SYSV IPC code.
Pointers welcomed.

diff -urN linux-2.3.24/ipc/msg.c linux/ipc/msg.c
--- linux-2.3.24/ipc/msg.c Thu Oct 7 10:17:09 1999
+++ linux/ipc/msg.c Sun Oct 31 14:55:46 1999
@@ -487,6 +487,8 @@
return -EFAULT;
if (mtype < 1)
return -EINVAL;
+ if (msgsz == 0)
+ msgsz = 1;

msg = (struct msg_msg *) kmalloc (sizeof(*msg) + msgsz, GFP_KERNEL);

R H L U  Scott Maxwell:  | ``Life results from the non-random survival
E A I X     maxwell@     |   of randomly varying replicators.''
D T N 5 |     -- Richard Dawkins

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to Please read the FAQ at