[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Re: Local Denial-of-Service attack against Linux
From: Gigi Sullivan <sullivan () sikurezza ! org>
Date: 2000-03-31 22:37:27
[Download RAW message or body]
Aiee :)
Hello!
As I said in my previous post, the patch I supplied worked, but it
wasn't the right way to do it.
So, I attach here a `new' patch (very easy one, tho).
This should do the job and should be the `right way' do it ...
however, if someone find something of wrong, please let me (us) know.
Thx a lot
bye bye
-- gg sullivan
> Apparently unix domain sockets are ignoring the /proc/sys/net/core/wmem_max
> parameter, despite the documentation to the contrary. The fix should be
> simple, but I haven't had time to chase it down, and I'm not (usually) a
> Linux kernel developer.
>
> -- JF
>
--
Lorenzo Cavallaro `Gigi Sullivan' <sullivan@sikurezza.org>
Until I loved, life had no beauty;
I did not know I lived until I had loved. (Theodor Korner)
--- sock.c.orig Fri Mar 31 23:36:00 2000
+++ sock.c Fri Mar 31 23:36:29 2000
@@ -79,10 +79,6 @@
* Jay Schulist : Added SO_ATTACH_FILTER and SO_DETACH_FILTER.
* Andi Kleen : Add sock_kmalloc()/sock_kfree_s()
* Andi Kleen : Fix write_space callback
- * Lorenzo `Gigi Sullivan' Cavallaro: Temporary Fix to local DoS due to
- * too big buffer (AF_UNIX SOCK_DGRAM).
- * Maybe this will broke something else.
- * I apologize.
*
* To Fix:
*
@@ -570,18 +566,6 @@
skb->sk = sk;
return skb;
}
-
- /*
- * kmalloc (mm/slab.c) checks the size to allocate through a
- * `cache size struct'.
- * If we try to allocate much more then the maximum, just report it
- * backwardly.
- * XXX Will this broke something, like sock_wait_for_wmem()
- * defined here (net/core/sock.c)?
- * Is this the right way ?
- */
-
- sk->err = EMSGSIZE;
}
return NULL;
}
--- af_unix.c.orig Fri Mar 31 23:36:40 2000
+++ af_unix.c Sat Apr 1 00:31:40 2000
@@ -43,6 +43,8 @@
* number of socks to 2*max_files and
* the number of skb queueable in the
* dgram receiver.
+ * Lorenzo `Gigi Sullivan' Cavallaro : Fixed local DoS attack, due to
+ * unchecked sysctl_wmem_max sysctl (I hope) :)
*
* Known differences from reference BSD that was tested:
*
@@ -972,6 +974,16 @@
if (sock->passcred && !sk->protinfo.af_unix.addr)
unix_autobind(sock);
+ /*
+ * This should FIX the local DoS attack about sending msgs > sk->sndbuf
+ * Never had time to look the optimization code used for unix_stream,
+ * so, if the buffer we are going to send is > sysctl_wmem_max, just
+ * report an error (Drop the `packet').
+ */
+
+ if (len > sk->sndbuf - 16)
+ return -EMSGSIZE;
+
skb = sock_alloc_send_skb(sk, len, 0, msg->msg_flags&MSG_DONTWAIT, &err);
if (skb==NULL)
goto out;
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic