[14475] in bugtraq
Re: Local Denial-of-Service attack against Linux
daemon@ATHENA.MIT.EDU (Gigi Sullivan)
Tue Apr 4 01:30:29 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <20000403230024.A286@armageddon.libero.it>
Date: Mon, 3 Apr 2000 23:00:24 +0200
Reply-To: Gigi Sullivan <sullivan@SIKUREZZA.ORG>
From: Gigi Sullivan <sullivan@SIKUREZZA.ORG>
X-To: Jeff Dafoe <jeffd@EVCOM.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.3.96.1000402110433.6983B-100000@zothommog.evcom.net>;
from Jeff Dafoe on Sun, Apr 02, 2000 at 11:10:29AM -0400
Aiee :)
Hello!
>
> The issues causing this DoS are apparently more complex than it
> may appear, I have followed the discussion in the Linux kernel mailing
> list. There is a patch for the exploit in 2.2.15pre-16 and it is a
> noteworthy amount of code.
>
> Jeff
Well, as I said in my previous post, I did the patch, but I said
that I'm not sure if my patch is the `right way to do it'.
However, I downloaded pre-patch-2.2.15pre-16 from
ftp.kernel.org/pub/linux/kernel/people/alan and this was the patch I found:
diff -u --new-file --recursive --exclude-from /usr/src/exclude linux.vanilla
/net/unix/af_unix.c linux.15pre16/net/unix/af_unix.c
--- linux.vanilla/net/unix/af_unix.c Sat Aug 14 02:27:46 1999
+++ linux.15pre16/net/unix/af_unix.c Tue Mar 28 17:27:52 2000
@@ -969,6 +969,10 @@
return -ENOTCONN;
}
+ err = -EMSGSIZE;
+ if (len > sk->sndbuf)
+ goto out;
+
if (sock->passcred && !sk->protinfo.af_unix.addr)
unix_autobind(sock);
And this isn't so different from my one (except the fact that I
check len > sk->sndbuff - 16, thus limiting the sending buffer.
[so in that I was wrong]).
Thx a lot!
bye bye
-- gg sullivan
--
Lorenzo Cavallaro `Gigi Sullivan' <sullivan@sikurezza.org>
Until I loved, life had no beauty;
I did not know I lived until I had loved. (Theodor Korner)
