oss-security - Re: CVE request: kernel: L2TP send buffer allocation size overflows

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Message-ID: <434215888.575451289418251839.JavaMail.root@zmail01.collab.prod.int.phx2.redhat.com>
Date: Wed, 10 Nov 2010 14:44:11 -0500 (EST)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com, Petr Matousek <pmatouse@...hat.com>
Cc: coley@...us.mitre.org
Subject: Re: CVE request: kernel: L2TP send buffer allocation
 size overflows

Please use CVE-2010-4160.

Thanks.

-- 
    JB


----- "Petr Matousek" <pmatouse@...hat.com> wrote:

> "Both PPPoL2TP (in net/l2tp/l2tp_ppp.c, pppol2tp_sendmsg()) and
> IPoL2TP (in
> net/l2tp/l2tp_ip.c, l2tp_ip_sendmsg()) make calls to sock_wmalloc()
> that
> perform arithmetic on the size argument without any maximum bound. As
> a result,
> by issuing sendto() calls with very large sizes, this allocation size
> will wrap
> and result in a small buffer being allocated, leading to ugliness
> immediately
> after (probably kernel panics due to bad sk_buff tail position, but
> possibly
> kernel heap corruption)."
> 
> Credit: Dan Rosenberg
> 
> Reference:
> http://www.spinics.net/lists/netdev/msg145673.html
> https://bugzilla.redhat.com/show_bug.cgi?id=651892
> 
> Thanks,
> --
> Petr Matousek / Red Hat Security Response Team

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.