[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: Local Denial-of-Service attack against Linux
From:       Gigi Sullivan <sullivan () sikurezza ! org>
Date:       2000-03-31 22:37:27
[Download RAW message or body]

Aiee :)

	Hello!

	As I said in my previous post, the patch I supplied worked, but it
	wasn't the right way to do it.

	So, I attach here a `new' patch (very easy one, tho).
	This should do the job and should be the `right way' do it ...
	however, if someone find something of wrong, please let me (us) know.

Thx a lot

bye bye


					-- gg sullivan

> Apparently unix domain sockets are ignoring the /proc/sys/net/core/wmem_max
> parameter, despite the documentation to the contrary.  The fix should be
> simple, but I haven't had time to chase it down, and I'm not (usually) a
> Linux kernel developer.
>
> 			-- JF
>


--
Lorenzo Cavallaro	`Gigi Sullivan' <sullivan@sikurezza.org>

Until I loved, life had no beauty;
I did not know I lived until I had loved. (Theodor Korner)


--- sock.c.orig	Fri Mar 31 23:36:00 2000
+++ sock.c	Fri Mar 31 23:36:29 2000
@@ -79,10 +79,6 @@
  *		Jay Schulist	:	Added SO_ATTACH_FILTER and SO_DETACH_FILTER.
  *		Andi Kleen	:	Add sock_kmalloc()/sock_kfree_s()
  *		Andi Kleen	:	Fix write_space callback
- *		Lorenzo `Gigi Sullivan' Cavallaro: Temporary Fix to local DoS due to
- *		                                   too big buffer (AF_UNIX SOCK_DGRAM).
- *		                                   Maybe this will broke something else.
- *		                                   I apologize.
  *
  * To Fix:
  *
@@ -570,18 +566,6 @@
 			skb->sk = sk;
 			return skb;
 		}
-
-		/*
-		 * kmalloc (mm/slab.c) checks the size to allocate through a
-		 * `cache size struct'.
-		 * If we try to allocate much more then the maximum, just report it
-		 * backwardly.
-		 * XXX Will this broke something, like sock_wait_for_wmem()
-		 * defined here (net/core/sock.c)?
-		 * Is this the right way ?
-		*/
-
-		sk->err = EMSGSIZE;
 	}
 	return NULL;
 }

--- af_unix.c.orig	Fri Mar 31 23:36:40 2000
+++ af_unix.c	Sat Apr  1 00:31:40 2000
@@ -43,6 +43,8 @@
  *					number of socks to 2*max_files and
  *					the number of skb queueable in the
  *					dgram receiver.
+ *    Lorenzo `Gigi Sullivan' Cavallaro	:	Fixed local DoS attack, due to
+ *             unchecked sysctl_wmem_max sysctl (I hope) :)
  *
  * Known differences from reference BSD that was tested:
  *
@@ -972,6 +974,16 @@
 	if (sock->passcred && !sk->protinfo.af_unix.addr)
 		unix_autobind(sock);

+	/*
+	 * This should FIX the local DoS attack about sending msgs > sk->sndbuf
+	 * Never had time to look the optimization code used for unix_stream,
+	 * so, if the buffer we are going to send is > sysctl_wmem_max, just
+	 * report an error (Drop the `packet').
+	*/
+
+	if (len > sk->sndbuf - 16)
+		return -EMSGSIZE;
+	
 	skb = sock_alloc_send_skb(sk, len, 0, msg->msg_flags&MSG_DONTWAIT, &err);
 	if (skb==NULL)
 		goto out;


[prev in list] [next in list] [prev in thread] [next in thread]