Re: Linux Kernel sctp_setsockopt() Integer Overflow

To: Jirka Kosina <jikos@xxxxxxxx>
Subject: Re: Linux Kernel sctp_setsockopt() Integer Overflow
From: Shaun Colley <shaunige@xxxxxxxxxxx>
Date: Mon, 31 May 2004 18:35:29 +0100 (BST)
Cc: bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <Pine.LNX.4.58.0405290510330.12518@xxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

> Because this all is debate about nothing, as the
> original advisory was 
> fake, because you simply can't pass negative optlen
> to setsockopt() 
> syscall, so there is nothing to be exploited.

No, the advisory was not fake.  At the time, I didn't
realise that -1 or any negative will not get past
sys_setsockopt().  Without the sanity check in
setsockopt, there would be a bad security issue,
though.  It's still worth upgrading, anyway.  The bug
exists, just not a very big possibility of exploiting.



Thank you for your time.
Shaun.


        
        
                
____________________________________________________________
Yahoo! Messenger - Communicate instantly..."Ping" 
your friends today! Download Messenger Now 
http://uk.messenger.yahoo.com/download/index.html

References:
- Re: Linux Kernel sctp_setsockopt() Integer Overflow
  - From: Jirka Kosina

Prev by Date: Looking for a security contact of RealNetworks Live Rhapsody
Next by Date: LinkSys WRT54G administration page availble to WAN
Previous by thread: Re: Linux Kernel sctp_setsockopt() Integer Overflow
Next by thread: [ GLSA 200405-04 ] OpenOffice.org vulnerability when using DAV servers
Index(es):
- Date
- Thread