[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-sctp
Subject:    Re: [PATCH]: SCTP length validation.
From:       David Miller <davem () davemloft ! net>
Date:       2008-06-23 21:42:07
Message-ID: 20080623.144207.89110071.davem () davemloft ! net
[Download RAW message or body]

From: Vlad Yasevich <vladislav.yasevich@hp.com>
Date: Mon, 23 Jun 2008 11:59:43 -0400

> David Miller wrote:
> > From: Vlad Yasevich <vladislav.yasevich@hp.com>
> > Date: Sat, 21 Jun 2008 11:55:19 -0400
> > 
> >> The same vulnerability also exists in sctp_getsockopt_peer_addrs_old().
> >> It's a bit more difficult to trigger since there is a dependency on
> >> the peer being multihomed as well, but it's still possible to cause the
> >> overwrite.
> > 
> > I can't see how that's possible.  This case looks harmless to
> > me.
> > 
> > The kernel side accesses are perfectly protected.  The kernel
> > will only access the actual address list stored via:
 ...
> 
> You are right.  I didn't look far enough.  Since there is no kmalloc(),
> the overflow of kernel memory is not possible, and copy_to_user should
> take care of any overflows of the user memory.

Thanks for double-checking my analysis Vlad.
--
To unsubscribe from this list: send the line "unsubscribe linux-sctp" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[prev in list] [next in list] [prev in thread] [next in thread]