<< | Thread Index | >> ]    [ << | Date Index | >> ]

Subject: BUG: crasher [IMPORTANT PATCH]
From: Olaf Titz <olaf,AT,bigred,DOT,inka,DOT,de>
Date: Mon, 7 Jan 2002 21:42:43 +0100

This must be an old problem, why was it never found? :-) To my
knowledge it exists in all published versions of CIPE. It causes a
crash when CIPE receives too small packets. Thanks to Larry McVoy for
alerting me to this bug.

The attached patch is from the CVS but applies cleanly to 1.5.2.

Olaf

Index: cipe/sock.c
===================================================================
RCS file: /home/olaf/common-home/CVSrepos/security/cipe-linux/cipe/sock.c,v
retrieving revision 1.36
diff -u -r1.36 sock.c
--- cipe/sock.c 2001/12/29 20:23:04     1.36
+++ cipe/sock.c 2002/01/06 18:28:56
@@ -199,6 +199,11 @@
        goto framerr;
     }
 #endif
+    if (length<cipehdrlen+(c->sockshost?sizeof(struct sockshdr):0)) {
+        printk(KERN_INFO "%s: got short packet from %s\n", c->dev->name,
+               cipe_ntoa(saddr(skb)));
+       goto framerr;
+    }

     n=alloc_skb(skb->len, GFP_KERNEL);
     if (!n) {
@@ -390,10 +395,8 @@
     c->stat.rx_packets++;
     return NULL;

-#if 0
  framerr:
     ++c->stat.rx_frame_errors; /* slightly abuse this */
-#endif
  error:
     ++c->stat.rx_errors;
     if (n)

=== end of patch ===





<< | Thread Index | >> ]    [ << | Date Index | >> ]