Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 11 Dec 2011 18:35:35 -0700
From: Kurt Seifried <>
Subject: Fwd: Re: cve request: bat_socket_read memory corruption

Please USE CVE-2011-4604 for this issue.

-------- Original Message --------
Subject: 	Re: [oss-security] cve request: bat_socket_read memory corruption
Date: 	Sat, 10 Dec 2011 20:35:33 +0100
From: 	Paul <>

On 2011-12-10 20:30, Kurt Seifried wrote:
> On 12/10/2011 09:13 AM, Paul wrote:
>> Hi
>> can I get a CVE for this:
>> ?
>> If root does read() on a specific socket, it's possible to corrupt
>> (kernel) memory over network, with an ICMP packet, if B.A.T.M.A.N. mesh
>> protocol is used.
> I'm going to need first hand source information, i.e. links to the
> code/commits/project stating it's an issue or something similar.

Modified patch from Sven Eckelmann, one of project's managers.



Don't write more than the requested number of bytes of an batman-adv icmp
packet to the userspace buffer. Otherwise unrelated userspace memory might get
overwritten by the kernel.

Reported-by: Paul Kot <pawlkt at <>>
Signed-off-by: Sven Eckelmann <sven at <>>
Marek pointed out that it is better to merge patch 1 and 2. I think it doesn't
make sense to leave Paul Kot as author because it doesn't look like his patch
at all.

And thanks to Andrew for s/overridden/overwritten/

 icmp_socket.c |    5 ++---
 1 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/icmp_socket.c b/icmp_socket.c
index 5bc8649..66923d2 100644
--- a/icmp_socket.c
+++ b/icmp_socket.c
@@ -136,10 +136,9 @@ static ssize_t bat_socket_read(struct file *file, char __user *buf,
-	error = __copy_to_user(buf, &socket_packet->icmp_packet,
-			       socket_packet->icmp_len);
+	packet_len = min(count, socket_packet->icmp_len);
+	error = copy_to_user(buf, &socket_packet->icmp_packet, packet_len);
-	packet_len = socket_packet->icmp_len;
 	if (error)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ