Hi,
itojun <itojun@xxxxxxxxxx> informed us that current
linux 2.2.x and 2.4.x kernels have buffer-overrun bug in
net/ipv4/ip_options.c. Here's the fix.
Index: net/ipv4/ip_options.c
===================================================================
RCS file: /cvsroot/usagi/usagi/kernel/linux24/net/ipv4/ip_options.c,v
retrieving revision 1.1.1.3
diff -u -r1.1.1.3 ip_options.c
--- net/ipv4/ip_options.c 2000/08/25 03:29:24 1.1.1.3
+++ net/ipv4/ip_options.c 2001/02/22 15:36:47
@@ -220,6 +220,8 @@
optptr++;
continue;
}
+ if (l < 2)
+ return;
optlen = optptr[1];
if (optlen<2 || optlen>l)
return;
@@ -277,6 +279,10 @@
l--;
optptr++;
continue;
+ }
+ if (l < 2) {
+ pp_ptr = optptr;
+ goto error;
}
optlen = optptr[1];
if (optlen<2 || optlen>l) {
--
Hideaki YOSHIFUJI @ USAGI Project <yoshfuji@xxxxxxxxxxxxxx>
PGP5i FP: F731 6599 5EB2 BBA7 1515 1323 1806 A96F 5700 6B25
--- Begin Message ---
i'm not sure if this is the right forum to raise this, but anyway
I have almost no idea about how linux community works... so this is
the best thing I can try. if necessary please forward it to someone
more appropriate.
due to the complexity of IPv4 option specification, lots of systems
(even openbsd!) makes buffer overrun while parsing it. i've checked
usagi cvs repository (for linux 2.4.0) and it has mistakes too.
we should also check for AH logic, but i could not find where is it.
itojun
net/ipv4/ip_options.c:ip_options_compile()
net/ipv4/ip_options.c:ip_options_fragment()
need to make sure that l > 1 before touching optptr[1].
--- End Message ---
|