Re: [linux-2.6] Fix signedness issues in net/core/filter.c

To: Florian Weimer <fw@deneb.enyo.de>
Cc: debian-kernel@lists.debian.org, secure-testing-team@lists.alioth.debian.org
Subject: Re: [linux-2.6] Fix signedness issues in net/core/filter.c
From: Horms <horms@debian.org>
Date: Wed, 26 Oct 2005 19:32:31 +0900
Message-id: <[🔎] 20051026103226.GA3681@verge.net.au>
Mail-followup-to: Florian Weimer <fw@deneb.enyo.de>, debian-kernel@lists.debian.org, secure-testing-team@lists.alioth.debian.org
In-reply-to: <[🔎] 877jc14nk8.fsf@mid.deneb.enyo.de>
References: <[🔎] 877jc14nk8.fsf@mid.deneb.enyo.de>

On Tue, Oct 25, 2005 at 05:35:19PM +0200, Florian Weimer wrote:
> Is the issue described below already on your radar screen?  I couldn't
> find it in the relevant files.  AFAICT, no CVE name has been assigned.

Its the first I've seen of it, but that doesn't mean much.
Which GIT tree is the commit from, I checked Linus' 2.6 and it
doesn't seem to be there. Alternatively, is there a mailing list
discussion you can point me to?

I just came back from holidays in Korea with Dave Miller wich would
explain a) why I am so slow this week and b) perhaps why it hasn't
made it into Linus' tree. I think he'll be back on deck next week.

> commit 4717ecd49ce5c556d38e8c7b6fdc9fac5d35c00e
> Author: Patrick McHardy <kaber@trash.net>
> Date:   Mon Jul 18 06:52:50 2005 +0200
> 
>     [PATCH] Fix signedness issues in net/core/filter.c
>     
>     This is the code to load packet data into a register:
>     
>                             k = fentry->k;
>                             if (k < 0) {
>     ...
>                             } else {
>                                     u32 _tmp, *p;
>                                     p = skb_header_pointer(skb, k, 4, &_tmp);
>                                     if (p != NULL) {
>                                             A = ntohl(*p);
>                                             continue;
>                                     }
>                             }
>     
>     skb_header_pointer checks if the requested data is within the
>     linear area:
>     
>             int hlen = skb_headlen(skb);
>     
>             if (offset + len <= hlen)
>                     return skb->data + offset;
>     
>     When offset is within [INT_MAX-len+1..INT_MAX] the addition will
>     result in a negative number which is <= hlen.
>     
>     I couldn't trigger a crash on my AMD64 with 2GB of memory, but a
>     coworker tried on his x86 machine and it crashed immediately.
>     
>     This patch fixes the check in skb_header_pointer to handle large
>     positive offsets similar to skb_copy_bits. Invalid data can still
>     be accessed using negative offsets (also similar to skb_copy_bits),
>     anyone using negative offsets needs to verify them himself.
>     
>     Thanks to Thomas Vögtle <thomas.voegtle@coreworks.de> for verifying the
>     problem by crashing his machine and providing me with an Oops.
>     
>     Signed-off-by: Patrick McHardy <kaber@trash.net>
>     Signed-off-by: Chris Wright <chrisw@osdl.org>
>     Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
> 

-- 
Horms

Reply to:

Follow-Ups:
- Re: [linux-2.6] Fix signedness issues in net/core/filter.c
  - From: Florian Weimer <fw@deneb.enyo.de>

References:
- [linux-2.6] Fix signedness issues in net/core/filter.c
  - From: Florian Weimer <fw@deneb.enyo.de>

Prev by Date: Re: 2.6.14-rc5 uploaded to experimental available at http://people.debian.org/~luther/2.6.14-rc5
Next by Date: Bug#335858: linux-image-2.6.12-1-686: locks up on Fn+F2
Previous by thread: [linux-2.6] Fix signedness issues in net/core/filter.c
Next by thread: Re: [linux-2.6] Fix signedness issues in net/core/filter.c
Index(es):
- Date
- Thread