[PATCH] raw_sendmsg DoS on 2.6
authorMark J Cox <mjc@redhat.com>
Tue, 20 Sep 2005 00:55:30 +0000 (17:55 -0700)
committerLinus Torvalds <torvalds@g5.osdl.org>
Tue, 20 Sep 2005 01:45:42 +0000 (18:45 -0700)
Fix unchecked __get_user that could be tricked into generating a
memory read on an arbitrary address.  The result of the read is not
returned directly but you may be able to divine some information about
it, or use the read to cause a crash on some architectures by reading
hardware state.  CAN-2004-2492.

Fix from Al Viro, ack from Dave Miller.

Signed-off-by: Linus Torvalds <torvalds@osdl.org>
net/ipv4/raw.c
net/ipv6/raw.c

index 304bb0a1d4f0f1b936e0500f08282bf137ae4505..4b0d7e4d62698a44acd992fd3e2a01e14b3037f0 100644 (file)
@@ -361,7 +361,7 @@ static void raw_probe_proto_opt(struct flowi *fl, struct msghdr *msg)
 
                        if (type && code) {
                                get_user(fl->fl_icmp_type, type);
-                               __get_user(fl->fl_icmp_code, code);
+                               get_user(fl->fl_icmp_code, code);
                                probed = 1;
                        }
                        break;
index 5aa3691c578d3a0198aced9809b996a0569f1562..a1265a320b1170a43e1db063d573e20944582ca2 100644 (file)
@@ -627,7 +627,7 @@ static void rawv6_probe_proto_opt(struct flowi *fl, struct msghdr *msg)
 
                        if (type && code) {
                                get_user(fl->fl_icmp_type, type);
-                               __get_user(fl->fl_icmp_code, code);
+                               get_user(fl->fl_icmp_code, code);
                                probed = 1;
                        }
                        break;