linux/net/ipv4
Kirill Korotaev ee4bb818ae [NETFILTER]: Fix possible overflow in netfilters do_replace()
netfilter's do_replace() can overflow on addition within SMP_ALIGN()
and/or on multiplication by NR_CPUS, resulting in a buffer overflow on
the copy_from_user().  In practice, the overflow on addition is
triggerable on all systems, whereas the multiplication one might require
much physical memory to be present due to the check above.  Either is
sufficient to overwrite arbitrary amounts of kernel memory.

I really hate adding the same check to all 4 versions of do_replace(),
but the code is duplicate...

Found by Solar Designer during security audit of OpenVZ.org

Signed-Off-By: Kirill Korotaev <dev@openvz.org>
Signed-Off-By: Solar Designer <solar@openwall.com>
Signed-off-by: Patrck McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-02-04 23:51:25 -08:00
..
ipvs [PATCH] capable/capability.h (net/) 2006-01-11 18:42:14 -08:00
netfilter [NETFILTER]: Fix possible overflow in netfilters do_replace() 2006-02-04 23:51:25 -08:00
af_inet.c [PATCH] capable/capability.h (net/) 2006-01-11 18:42:14 -08:00
ah4.c [INET_SOCK]: Move struct inet_sock & helper functions to net/inet_sock.h 2006-01-03 13:11:21 -08:00
arp.c [PATCH] capable/capability.h (net/) 2006-01-11 18:42:14 -08:00
datagram.c [NET]: Fix sparse warnings 2005-08-29 16:01:32 -07:00
devinet.c [PATCH] capable/capability.h (net/) 2006-01-11 18:42:14 -08:00
esp4.c [INET_SOCK]: Move struct inet_sock & helper functions to net/inet_sock.h 2006-01-03 13:11:21 -08:00
fib_frontend.c x86: Work around compiler code generation bug with -Os 2006-01-14 22:08:28 -08:00
fib_hash.c [INET_SOCK]: Move struct inet_sock & helper functions to net/inet_sock.h 2006-01-03 13:11:21 -08:00
fib_lookup.h [IPV4]: Prepare FIB core for RCU. 2005-08-29 16:08:31 -07:00
fib_rules.c [INET_SOCK]: Move struct inet_sock & helper functions to net/inet_sock.h 2006-01-03 13:11:21 -08:00
fib_semantics.c [INET_SOCK]: Move struct inet_sock & helper functions to net/inet_sock.h 2006-01-03 13:11:21 -08:00
fib_trie.c [IPV4] fib_trie: build fix 2006-01-03 14:38:34 -08:00
icmp.c [ICMP]: Fix extra dst release when ip_options_echo fails 2006-02-04 23:51:14 -08:00
igmp.c Fix ipv4/igmp.c compile with gcc-4 and IP_MULTICAST 2006-01-31 13:11:41 -08:00
inet_connection_sock.c [ICSK]: Move v4_addr2sockaddr from TCP to icsk 2006-01-03 13:10:39 -08:00
inet_diag.c [INET_DIAG]: Introduce sk_diag_fill 2006-01-09 14:56:56 -08:00
inet_hashtables.c [INET]: Generalise tcp_v4_hash_connect 2006-01-03 13:10:55 -08:00
inet_timewait_sock.c [TWSK]: Introduce struct timewait_sock_ops 2006-01-03 13:10:54 -08:00
inetpeer.c [NET]: Change some "if (x) BUG();" to "BUG_ON(x);" 2006-01-09 14:16:18 -08:00
ip_forward.c [IPV4]: Remove some dead code from ip_forward() 2005-08-29 16:03:06 -07:00
ip_fragment.c [NET]: Endian-annotate struct iphdr 2006-01-06 13:24:29 -08:00
ip_gre.c [PATCH] capable/capability.h (net/) 2006-01-11 18:42:14 -08:00
ip_input.c [NETFILTER]: Keep conntrack reference until IPsec policy checks are done 2006-01-07 12:57:36 -08:00
ip_options.c [PATCH] capable/capability.h (net/) 2006-01-11 18:42:14 -08:00
ip_output.c [IPV4]: ip_output.c needs xfrm.h 2006-01-09 14:16:28 -08:00
ip_sockglue.c [NET]: Remove more unneeded typecasts on *malloc() 2006-01-11 16:32:14 -08:00
ipcomp.c [INET_SOCK]: Move struct inet_sock & helper functions to net/inet_sock.h 2006-01-03 13:11:21 -08:00
ipconfig.c [INET_SOCK]: Move struct inet_sock & helper functions to net/inet_sock.h 2006-01-03 13:11:21 -08:00
ipip.c [PATCH] capable/capability.h (net/) 2006-01-11 18:42:14 -08:00
ipmr.c [PATCH] capable/capability.h (net/) 2006-01-11 18:42:14 -08:00
Kconfig [TCP] BIC: CUBIC window growth (2.0) 2006-01-03 13:10:28 -08:00
Makefile [NETFILTER]: net/ipv[46]/netfilter.c cleanups 2006-01-10 12:54:29 -08:00
multipath_drr.c [IPV4]: possible cleanups 2005-08-29 15:33:20 -07:00
multipath_random.c [IPV4]: Multipath modules need a license to prevent kernel tainting. 2005-06-13 14:29:06 -07:00
multipath_rr.c [IPV4]: Multipath modules need a license to prevent kernel tainting. 2005-06-13 14:29:06 -07:00
multipath_wrandom.c [IPV4] multipath_wrandom: Fix softirq-unsafe spin lock usage 2006-02-02 16:59:16 -08:00
multipath.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
netfilter.c [NETFILTER]: net/ipv[46]/netfilter.c cleanups 2006-01-10 12:54:29 -08:00
proc.c [INET_SOCK]: Move struct inet_sock & helper functions to net/inet_sock.h 2006-01-03 13:11:21 -08:00
protocol.c [TCP]: Move the tcp sock states to net/tcp_states.h 2005-08-29 15:41:54 -07:00
raw.c [PATCH] EDAC: atomic scrub operations 2006-01-18 19:20:30 -08:00
route.c [IPV4]: RT_CACHE_STAT_INC() warning fix 2006-01-17 22:46:49 -08:00
syncookies.c [ICSK]: Rename struct tcp_func to struct inet_connection_sock_af_ops 2006-01-03 13:10:38 -08:00
sysctl_net_ipv4.c [INET_SOCK]: Move struct inet_sock & helper functions to net/inet_sock.h 2006-01-03 13:11:21 -08:00
tcp_bic.c [TCP] BIC: spelling and whitespace 2006-01-03 13:10:27 -08:00
tcp_cong.c [TCP]: less inline's 2006-01-03 16:03:49 -08:00
tcp_cubic.c [TCP] cubic: use Newton-Raphson 2006-01-03 13:11:09 -08:00
tcp_diag.c [INET_DIAG]: Move the tcp_diag interface to the proper place 2005-08-29 15:57:54 -07:00
tcp_highspeed.c [TCP]: TCP highspeed build error 2005-11-17 14:11:18 -08:00
tcp_htcp.c [TCP] H-TCP: Fix accounting 2006-01-30 20:54:39 -08:00
tcp_hybla.c [TCP]: fix congestion window update when using TSO deferal 2005-11-10 16:53:30 -08:00
tcp_input.c [NET]: Change some "if (x) BUG();" to "BUG_ON(x);" 2006-01-09 14:16:18 -08:00
tcp_ipv4.c [NET]: Do not export inet_bind_bucket_create twice. 2006-01-31 17:47:02 -08:00
tcp_minisocks.c [IPV6]: Introduce inet6_timewait_sock 2006-01-03 13:10:47 -08:00
tcp_output.c [TCP]: less inline's 2006-01-03 16:03:49 -08:00
tcp_scalable.c [TCP]: add tcp_slow_start helper 2005-11-10 17:07:24 -08:00
tcp_timer.c [TCP]: spelling fixes 2005-11-10 17:13:47 -08:00
tcp_vegas.c [TCP] tcp_vegas: Fix slow start 2006-01-04 13:59:32 -08:00
tcp_westwood.c [INET_DIAG]: Rename tcp_diag.[ch] to inet_diag.[ch] 2005-08-29 15:57:48 -07:00
tcp.c [IP_SOCKGLUE]: Remove most of the tcp specific calls 2006-01-03 13:10:58 -08:00
udp.c [NETFILTER]: Keep conntrack reference until IPsec policy checks are done 2006-01-07 12:57:36 -08:00
xfrm4_input.c [IPV4/6]: Netfilter IPsec input hooks 2006-01-07 12:57:31 -08:00
xfrm4_output.c [NETFILTER]: Redo policy lookups after NAT when neccessary 2006-01-07 12:57:35 -08:00
xfrm4_policy.c [XFRM]: Handle DCCP in xfrm{4,6}_decode_session 2005-12-19 14:03:46 -08:00
xfrm4_state.c [XFRM]: IPsec tunnel wildcard address support 2006-01-13 14:34:36 -08:00
xfrm4_tunnel.c [NET]: Make ipip/ip6_tunnel independant of XFRM 2005-07-19 14:03:34 -07:00