[PATCH 06/21] slip: Drop packets >mtu (SECURITY)
Ian Jackson
ijackson at chiark.greenend.org.uk
Thu Apr 24 02:37:25 BST 2014
Trying to send them to the kernel crashes userv-ipif.
This is a DoS vulnerability, exposed to internal sites only.
Signed-off-by: Ian Jackson <ijackson at chiark.greenend.org.uk>
---
debian/changelog | 2 +-
slip.c | 8 ++++++++
2 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/debian/changelog b/debian/changelog
index e3e5798..613963e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -6,7 +6,7 @@ secnet (0.3.1~~unstable) unstable; urgency=low
* Fix netlink SEGV on clientless netlinks (i.e. configuration error).
* Fix formatting error in p-t-p startup message.
* Additions to the test-example suite.
- * Fixes to MTU and fragmentation handling.
+ * SECURITY: Fixes to MTU and fragmentation handling.
--
diff --git a/slip.c b/slip.c
index 9e63cb3..aed2551 100644
--- a/slip.c
+++ b/slip.c
@@ -213,6 +213,14 @@ static void userv_deliver_to_kernel(void *sst, struct buffer_if *buf)
{
struct userv *st=sst;
+ if (buf->size > st->slip.nl.mtu) {
+ Message(M_ERR,"%s: packet of size %"PRIu32" exceeds mtu %"PRIu32":"
+ " cannot be injected into kernel, dropped\n",
+ st->slip.nl.name, buf->size, st->slip.nl.mtu);
+ BUF_FREE(buf);
+ return;
+ }
+
slip_stuff(&st->slip,buf,st->txfd);
}
--
1.7.10.4
More information about the sgo-software-discuss
mailing list