|
Bugtraq
mailing list archives
Re: Big problem on linux 2.0
From: andrea () SUSE DE (Andrea Arcangeli)
Date: Tue, 14 Dec 1999 23:09:36 +0100
On Sat, 11 Dec 1999, visi0n wrote:
In my last mail I'd posted a patch for kernel 2.0.38, that was
made against a modified socket.c you need this one for the original kernel
(2.0.38). Sorry...
@@ -966,8 +966,9 @@
struct msghdr msg;
struct iovec iov;
- if(len<0)
+ if(len < 0 || len >= 65468)
return -EINVAL;
+
err=verify_area(VERIFY_READ,buff,len);
if(err)
return err;
The above patch doesn't fix the bug, because you can still use
the other kernel entry points send/sendmsg to feed a big payload
ip_build_xmit.
Also note that you don't need to restrict to 65467 bytes the max size of a
packet when the ip options are < 40 bytes.
Andrea
 By Date 
By Thread
Current thread:
From the SCO Security Page Alfred Huger (Dec 06)
w00giving #8] Solaris 2.7's snoop Aleph One (Dec 06)
|
Intro
