[35076] in bugtraq
Re: Linux Kernel sctp_setsockopt() Integer Overflow
daemon@ATHENA.MIT.EDU (=?iso-8859-1?q?Shaun=20Colley?=)
Mon May 31 16:47:00 2004
Message-ID: <20040531173529.35242.qmail@web25109.mail.ukl.yahoo.com>
Date: Mon, 31 May 2004 18:35:29 +0100 (BST)
From: =?iso-8859-1?q?Shaun=20Colley?= <shaunige@yahoo.co.uk>
To: Jirka Kosina <jikos@jikos.cz>
Cc: bugtraq@securityfocus.com
In-Reply-To: <Pine.LNX.4.58.0405290510330.12518@twin.jikos.cz>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
> Because this all is debate about nothing, as the
> original advisory was
> fake, because you simply can't pass negative optlen
> to setsockopt()
> syscall, so there is nothing to be exploited.
No, the advisory was not fake. At the time, I didn't
realise that -1 or any negative will not get past
sys_setsockopt(). Without the sanity check in
setsockopt, there would be a bad security issue,
though. It's still worth upgrading, anyway. The bug
exists, just not a very big possibility of exploiting.
Thank you for your time.
Shaun.
____________________________________________________________
Yahoo! Messenger - Communicate instantly..."Ping"
your friends today! Download Messenger Now
http://uk.messenger.yahoo.com/download/index.html
