[snip]
> diff -urN 2.0.38/net/ipv4/ip_output.c 2.0.38-ping-R/net/ipv4/ip_output.c
> --- 2.0.38/net/ipv4/ip_output.c Thu Jun 18 23:48:22 1998
> +++ 2.0.38-ping-R/net/ipv4/ip_output.c Tue Dec 14 23:02:43 1999
> @@ -703,7 +703,13 @@
>
> if (!sk->ip_hdrincl) {
> length += sizeof(struct iphdr);
> - if(opt) length += opt->optlen;
> + if(opt)
> + {
> + /* make sure to not exceed the max packet size */
> + if (0xffff-length < opt->optlen)
> + return -EMSGSIZE;
> + length += opt->optlen;
> + }
> }
>
> if(length <= dev->mtu && !MULTICAST(daddr) && daddr!=0xFFFFFFFF && daddr!=dev->pa_brdaddr)
>
> Worked fine here so far.
>
> Andrea
>
> PS. The same bug could be exploited also using udp as normal user. So
> beware in doing a `chmod u-s /bin/ping`: it's not enough to fix the
> problem.
Alan, would you consider a v2.0.39 with just this fix (possibly something
else if something else has come up)?!
There are a LOT of people still using v2.0.xx systems, and releasing a fix
would show them that we really care.
/David
_ _
// David Weinehall <tao@acc.umu.se> /> Northern lights wander \\
// Project MCA Linux hacker // Dance across the winter sky //
\> http://www.acc.umu.se/~tao/ </ Full colour fire </
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/