iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
75559c167b
linux/net
History
Jean Delvare 75559c167b [APPLETALK]: Fix a remotely triggerable crash 
When we receive an AppleTalk frame shorter than what its header says,
we still attempt to verify its checksum, and trip on the BUG_ON() at
the end of function atalk_sum_skb() because of the length mismatch.

This has security implications because this can be triggered by simply
sending a specially crafted ethernet frame to a target victim,
effectively crashing that host. Thus this qualifies, I think, as a
remote DoS. Here is the frame I used to trigger the crash, in npg
format:

<Appletalk Killer>
{
# Ethernet header -----

  XX XX XX XX XX XX  # Destination MAC
  00 00 00 00 00 00  # Source MAC
  00 1D              # Length

# LLC header -----

  AA AA 03
  08 00 07 80 9B  # Appletalk

# Appletalk header -----

  00 1B        # Packet length (invalid)
  00 01        # Fake checksum 
  00 00 00 00  # Destination and source networks
  00 00 00 00  # Destination and source nodes and ports

# Payload -----

  0C 0D 0E 0F 10 11 12 13
  14
}

The destination MAC address must be set to those of the victim.

The severity is mitigated by two requirements:
* The target host must have the appletalk kernel module loaded. I
  suspect this isn't so frequent.
* AppleTalk frames are non-IP, thus I guess they can only travel on
  local networks. I am no network expert though, maybe it is possible
  to somehow encapsulate AppleTalk packets over IP.

The bug has been reported back in June 2004:
  http://bugzilla.kernel.org/show_bug.cgi?id=2979
But it wasn't investigated, and was closed in July 2006 as both
reporters had vanished meanwhile.

This code was new in kernel 2.6.0-test5:
  http://git.kernel.org/?p=linux/kernel/git/tglx/history.git;a=commitdiff;h=7ab442d7e0a76402c12553ee256f756097cae2d2
And not modified since then, so we can assume that vanilla kernels
2.6.0-test5 and later, and distribution kernels based thereon, are
affected.

Note that I still do not know for sure what triggered the bug in the
real-world cases. The frame could have been corrupted by the kernel if
we have a bug hiding somewhere. But more likely, we are receiving the
faulty frame from the network.

Signed-off-by: Jean Delvare <jdelvare@suse.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-04-04 23:52:46 -07:00
..
802 [PATCH] remove many unneeded #includes of sched.h 2007-02-14 08:09:54 -08:00
8021q [VLAN]: Avoid a 4-order allocation. 2007-03-02 20:44:51 -08:00
appletalk [APPLETALK]: Fix a remotely triggerable crash 2007-04-04 23:52:46 -07:00
atm [NET]: Fix neighbour destructor handling. 2007-03-25 18:48:01 -07:00
ax25 [NET] AX.25 Kconfig and docs updates and fixes 2007-03-25 18:48:02 -07:00
bluetooth [PATCH] bluetooth hid quirks: mightymouse quirk 2007-03-29 08:22:24 -07:00
bridge [NET]: fix up misplaced inlines. 2007-03-22 12:27:49 -07:00
core [PATCH] net: Ignore sysfs network device rename bugs. 2007-04-04 08:51:52 -07:00
dccp [DCCP] getsockopt: Fix DCCP_SOCKOPT_[SEND,RECV]_CSCOV 2007-03-28 11:54:32 -07:00
decnet [DECNet] fib: Fix out of bound access of dn_fib_props[] 2007-03-25 18:48:04 -07:00
econet [PATCH] remove many unneeded #includes of sched.h 2007-02-14 08:09:54 -08:00
ethernet [PATCH] remove many unneeded #includes of sched.h 2007-02-14 08:09:54 -08:00
ieee80211 [PATCH] fix typos in net/ieee80211/Kconfig 2007-03-24 16:51:53 -07:00
ipv4 [TCP]: Do receiver-side SWS avoidance for rcvbuf < MSS. 2007-04-02 13:56:32 -07:00
ipv6 [IPv6]: Fix incorrect length check in rawv6_sendmsg() 2007-04-02 13:30:54 -07:00
ipx [IPX]: Remove ancient changelog 2007-02-28 09:42:06 -08:00
irda [IrDA]: Calling ppp_unregister_channel() from process context 2007-03-20 00:09:42 -07:00
iucv [S390]: Add AF_IUCV socket support 2007-02-08 13:51:54 -08:00
key [IPSEC]: xfrm audit hook misplaced in pfkey_delete and xfrm_del_sa 2007-03-07 16:08:11 -08:00
lapb [PATCH] remove many unneeded #includes of sched.h 2007-02-14 08:09:54 -08:00
llc [PATCH] sysctl: remove insert_at_head from register_sysctl 2007-02-14 08:09:59 -08:00
netfilter [NETFILTER]: nf_conntrack_netlink: add missing dependency on NF_NAT 2007-03-22 12:29:57 -07:00
netlabel [NET]: Fix kfree(skb) 2007-02-28 09:42:14 -08:00
netlink [PATCH] mark struct file_operations const 8 2007-02-12 09:48:46 -08:00
netrom [PATCH] sysctl: remove insert_at_head from register_sysctl 2007-02-14 08:09:59 -08:00
packet [AF_PACKET]: Remove unnecessary casts. 2007-02-26 11:42:45 -08:00
rose [ROSE]: Socket locking is a great invention. 2007-03-12 15:53:33 -07:00
rxrpc [PATCH] sysctl: remove insert_at_head from register_sysctl 2007-02-14 08:09:59 -08:00
sched [NET_SCHED]: cls_basic: fix memory leak in basic_destroy 2007-04-02 13:30:52 -07:00
sctp [SCTP]: Correctly reset ssthresh when restarting association 2007-03-22 12:26:25 -07:00
sunrpc [PATCH] net/sunrpc/svcsock.c: fix a check 2007-04-04 21:12:47 -07:00
tipc [NET] TIPC: Fix whitespace errors. 2007-02-10 23:20:15 -08:00
unix [NET]: Revert incorrect accept queue backlog changes. 2007-03-06 11:21:05 -08:00
wanrouter [WANROUTER]: Delete superfluous source file "net/wanrouter/af_wanpipe.c". 2007-03-12 17:06:27 -07:00
x25 [X25] x25_forward_call(): fix NULL dereferences 2007-03-20 00:09:46 -07:00
xfrm [NET]: fix up misplaced inlines. 2007-03-22 12:27:49 -07:00
compat.c [PATCH] remove many unneeded #includes of sched.h 2007-02-14 08:09:54 -08:00
Kconfig [S390]: Rewrite of the IUCV base code, part 2 2007-02-08 13:37:42 -08:00
Makefile [S390]: Rewrite of the IUCV base code, part 2 2007-02-08 13:37:42 -08:00
nonet.c [PATCH] Make most file operations structs in fs/ const 2006-03-28 09:16:06 -08:00
socket.c [NET]: Correct accept(2) recovery after sock_attach_fd() 2007-03-26 14:09:52 -07:00
sysctl_net.c Remove obsolete #include <linux/config.h> 2006-06-30 19:25:36 +02:00
TUNABLE