Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id ; Sun, 15 Jul 2001 12:03:47 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id ; Sun, 15 Jul 2001 12:03:37 -0400 Received: from [195.211.46.202] ([195.211.46.202]:30792 "EHLO serv02.lahn.de") by vger.kernel.org with ESMTP id ; Sun, 15 Jul 2001 12:03:25 -0400 Date: Sun, 15 Jul 2001 17:40:23 +0200 (CEST) From: Philipp Matthias Hahn Reply-To: To: Linux Kernel Mailing List Cc: Subject: [PATCH] Re: [CHECKER] 52 probable security holes in 2.4.6 and 2.4.6-ac2 In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Hi Dag, Jean, LKML! On Fri, 13 Jul 2001, Kenneth Michael Ashcraft wrote: > These errors occur because user input (data from copy_from_user, get_user, > etc.) is used without being checked in the following ways: ... > 1 | /home/kash/linux/2.4.6-ac2/net/irda/af_irda.c/ ... > --------------------------------------------------------- > [BUG] looks like it > /home/kash/linux/2.4.6-ac2/net/irda/af_irda.c:2064:irda_getsockopt: ERROR:RANGE:2063:2064: Using user length "(null)" as argument to "copy_to_user" [type=LOCAL] [state = need_lb] [linkages -> 2063:len:start] [distance=3] > sizeof(struct irda_device_info); > > /* Copy the list itself */ > total = offset + (list.len * sizeof(struct irda_device_info)); > if (total > len) > Start ---> > total = len; > Error ---> > if (copy_to_user(optval+offset, discoveries, total - offset)) > err = -EFAULT; > > /* Write total number of bytes used back to client */ > --------------------------------------------------------- Here's the pacth for review: The old check look's quiet bogus, because optlen is a pointer. The check was plain wrong. --- /usr/src/linux-2.4.7/net/irda/af_irda.c~ Thu Jul 12 14:21:06 2001 +++ /usr/src/linux-2.4.7/net/irda/af_irda.c Sat Jul 14 12:36:07 2001 @@ -2035,7 +2035,7 @@ if (get_user(len, optlen)) return -EFAULT; - if(optlen < 0) + if(len < 0) return -EINVAL; switch (optname) { BYtE Philipp -- / / (_)__ __ ____ __ Philipp Hahn / /__/ / _ \/ // /\ \/ / /____/_/_//_/\_,_/ /_/\_\ pmhahn@titan.lahn.de - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/