[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

(usagi-users 02801) netfilter/ip6_tables.c

To: usagi-users@xxxxxxxxxxxxxx
Subject: (usagi-users 02801) netfilter/ip6_tables.c
From: Olaf Kirch <okir@xxxxxxx>
Date: Mon, 16 Feb 2004 15:47:28 +0100
Reply-to: usagi-users@xxxxxxxxxxxxxx
User-agent: Mutt/1.4i

Hi,

I'm not sure, but I think the current usagi CVS for 2.6 has a signedness
overflow in the ip6tables.c code.

There's a function called tcp_find_option which copies "optlen" bytes to
a 40 byte buffer on the stack.

optlen is the size of the TCP option bytes, computed as "tcph.doff*4 -
sizeof(tcph)". This is fine for sane packets, as tcph.doff should always
be between 5 and 15, so optlen would be between 0 and 40.

However, if an attacker sends a fake packet with tcph.doff == 0,
tcp_find_option is called with optlen == 4294967276, so the call to
skb_copy_bits will trash the kernel stack quite badly.

Olaf
-- 
Olaf Kirch     |  Stop wasting entropy - start using predictable
okir@xxxxxxx   |  tempfile names today!
---------------+

Prev by Date: (usagi-users 02800) [usagi-announce] 2004/02/16 snapshot
Next by Date: (usagi-users 02802) PIM-SM for IPV6
Previous by thread: (usagi-users 02800) [usagi-announce] 2004/02/16 snapshot
Next by thread: (usagi-users 02802) PIM-SM for IPV6
Index(es):
- Date
- Thread