Date: Wed, 10 Nov 2010 14:44:11 -0500 (EST) From: Josh Bressers <bressers@...hat.com> To: oss-security@...ts.openwall.com, Petr Matousek <pmatouse@...hat.com> Cc: coley@...us.mitre.org Subject: Re: CVE request: kernel: L2TP send buffer allocation size overflows Please use CVE-2010-4160. Thanks. -- JB ----- "Petr Matousek" <pmatouse@...hat.com> wrote: > "Both PPPoL2TP (in net/l2tp/l2tp_ppp.c, pppol2tp_sendmsg()) and > IPoL2TP (in > net/l2tp/l2tp_ip.c, l2tp_ip_sendmsg()) make calls to sock_wmalloc() > that > perform arithmetic on the size argument without any maximum bound. As > a result, > by issuing sendto() calls with very large sizes, this allocation size > will wrap > and result in a small buffer being allocated, leading to ugliness > immediately > after (probably kernel panics due to bad sk_buff tail position, but > possibly > kernel heap corruption)." > > Credit: Dan Rosenberg > > Reference: > http://www.spinics.net/lists/netdev/msg145673.html > https://bugzilla.redhat.com/show_bug.cgi?id=651892 > > Thanks, > -- > Petr Matousek / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.