[14467] in bugtraq
Re: Local Denial-of-Service attack against Linux
daemon@ATHENA.MIT.EDU (Gigi Sullivan)
Fri Mar 31 21:04:18 2000
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary=GvXjxJ+pjyke8COw
Message-Id: <20000401003726.A322@armageddon.allanon.org>
Date: Sat, 1 Apr 2000 00:37:27 +0200
Reply-To: sullivan@sikurezza.org
From: Gigi Sullivan <sullivan@SIKUREZZA.ORG>
X-To: Jay Fenlason <fenlason@CLEARWAY.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000323175509.A23709@clearway.com>; from Jay Fenlason on Thu,
Mar 23, 2000 at 05:55:09PM -0500
--GvXjxJ+pjyke8COw
Content-Type: text/plain; charset=us-ascii
Aiee :)
Hello!
As I said in my previous post, the patch I supplied worked, but it
wasn't the right way to do it.
So, I attach here a `new' patch (very easy one, tho).
This should do the job and should be the `right way' do it ...
however, if someone find something of wrong, please let me (us) know.
Thx a lot
bye bye
-- gg sullivan
> Apparently unix domain sockets are ignoring the /proc/sys/net/core/wmem_max
> parameter, despite the documentation to the contrary. The fix should be
> simple, but I haven't had time to chase it down, and I'm not (usually) a
> Linux kernel developer.
>
> -- JF
>
--
Lorenzo Cavallaro `Gigi Sullivan' <sullivan@sikurezza.org>
Until I loved, life had no beauty;
I did not know I lived until I had loved. (Theodor Korner)
--GvXjxJ+pjyke8COw
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=ldos_patch_last
--- sock.c.orig Fri Mar 31 23:36:00 2000
+++ sock.c Fri Mar 31 23:36:29 2000
@@ -79,10 +79,6 @@
* Jay Schulist : Added SO_ATTACH_FILTER and SO_DETACH_FILTER.
* Andi Kleen : Add sock_kmalloc()/sock_kfree_s()
* Andi Kleen : Fix write_space callback
- * Lorenzo `Gigi Sullivan' Cavallaro: Temporary Fix to local DoS due to
- * too big buffer (AF_UNIX SOCK_DGRAM).
- * Maybe this will broke something else.
- * I apologize.
*
* To Fix:
*
@@ -570,18 +566,6 @@
skb->sk = sk;
return skb;
}
-
- /*
- * kmalloc (mm/slab.c) checks the size to allocate through a
- * `cache size struct'.
- * If we try to allocate much more then the maximum, just report it
- * backwardly.
- * XXX Will this broke something, like sock_wait_for_wmem()
- * defined here (net/core/sock.c)?
- * Is this the right way ?
- */
-
- sk->err = EMSGSIZE;
}
return NULL;
}
--- af_unix.c.orig Fri Mar 31 23:36:40 2000
+++ af_unix.c Sat Apr 1 00:31:40 2000
@@ -43,6 +43,8 @@
* number of socks to 2*max_files and
* the number of skb queueable in the
* dgram receiver.
+ * Lorenzo `Gigi Sullivan' Cavallaro : Fixed local DoS attack, due to
+ * unchecked sysctl_wmem_max sysctl (I hope) :)
*
* Known differences from reference BSD that was tested:
*
@@ -972,6 +974,16 @@
if (sock->passcred && !sk->protinfo.af_unix.addr)
unix_autobind(sock);
+ /*
+ * This should FIX the local DoS attack about sending msgs > sk->sndbuf
+ * Never had time to look the optimization code used for unix_stream,
+ * so, if the buffer we are going to send is > sysctl_wmem_max, just
+ * report an error (Drop the `packet').
+ */
+
+ if (len > sk->sndbuf - 16)
+ return -EMSGSIZE;
+
skb = sock_alloc_send_skb(sk, len, 0, msg->msg_flags&MSG_DONTWAIT, &err);
if (skb==NULL)
goto out;
--GvXjxJ+pjyke8COw--
