[PATCH 18/21] netlink: fix IP length check (SECURITY)
Ian Jackson
ijackson at chiark.greenend.org.uk
Thu Apr 24 02:37:37 BST 2014
This would erroneously abort on some very short packets.
This is a DoS vulnerability, exposed to internal sites only.
Signed-off-by: Ian Jackson <ijackson at chiark.greenend.org.uk>
---
debian/changelog | 1 +
netlink.c | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/debian/changelog b/debian/changelog
index fe6caae..46645f4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -9,6 +9,7 @@ secnet (0.3.1~~unstable) unstable; urgency=low
* SECURITY: Fixes to MTU and fragmentation handling.
* SECURITY: Correctly set "unused" ICMP header field.
* Do not send ICMP errors in response to unknown incoming ICMP.
+ * SECURITY: Fix IP length check not to crash on very short packets.
--
diff --git a/netlink.c b/netlink.c
index 2c3d12d..787f4eb 100644
--- a/netlink.c
+++ b/netlink.c
@@ -831,7 +831,7 @@ static void netlink_incoming(struct netlink *st, struct netlink_client *client,
BUF_FREE(buf);
return;
}
- assert(buf->size >= (int)sizeof(struct icmphdr));
+ assert(buf->size >= (int)sizeof(struct iphdr));
iph=(struct iphdr *)buf->start;
source=ntohl(iph->saddr);
--
1.7.10.4
More information about the sgo-software-discuss
mailing list