[12961] in bugtraq
Re: Big problem on linux 2.0
daemon@ATHENA.MIT.EDU (Andrea Arcangeli)
Tue Dec 14 22:25:12 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.10.9912142305410.3581-100000@alpha.random>
Date: Tue, 14 Dec 1999 23:09:36 +0100
Reply-To: Andrea Arcangeli <andrea@SUSE.DE>
From: Andrea Arcangeli <andrea@SUSE.DE>
X-To: visi0n <visi0n@AUX-TECH.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.3.96.991211225239.339B-100000@variola.chinatown.org>
On Sat, 11 Dec 1999, visi0n wrote:
> In my last mail I'd posted a patch for kernel 2.0.38, that was
>made against a modified socket.c you need this one for the original kernel
>(2.0.38). Sorry...
>
>@@ -966,8 +966,9 @@
> struct msghdr msg;
> struct iovec iov;
>
>- if(len<0)
>+ if(len < 0 || len >= 65468)
> return -EINVAL;
>+
> err=verify_area(VERIFY_READ,buff,len);
> if(err)
> return err;
The above patch doesn't fix the bug, because you can still use
the other kernel entry points send/sendmsg to feed a big payload
ip_build_xmit.
Also note that you don't need to restrict to 65467 bytes the max size of a
packet when the ip options are < 40 bytes.
Andrea
