Closed anubisg1 closed 9 years ago
Security audit handled by the openSUSE security team ( https://bugzilla.suse.com/show_bug.cgi?id=904060) found "the packet parsing is vulnerable to memory corruption:
bytes_received -= IOU_HDR_SIZE;
without checking that there are at least IOU_HDR_SIZE bytes, gives problems."
to follow the patch that should fix the issue. Please review and merge upstream.
diff --git a/iouyap.c b/iouyap.c index c15893d..944331a 100644 --- a/iouyap.c +++ b/iouyap.c @@ -356,6 +356,9 @@ write_pcap_frame (int fd, const unsigned char *packet, size_t len, unsigned char buf[MAX_MTU + hdr_len]; struct timeval ts; + if (caplen > MAX_MTU) + return -1; + gettimeofday (&ts, 0); pcap_header.tv_sec = ts.tv_sec; pcap_header.tv_usec = ts.tv_usec; @@ -398,7 +401,7 @@ foreign_listener (void *arg) /* Put received bytes after the (absent) IOU header */ bytes_received = read (port->sfd, &buf[IOU_HDR_SIZE], MAX_MTU); - if (bytes_received == -1) + if (bytes_received <= 0) { /* When tunneling, because our sends are asynchronous, we * can get errors here from ICMP packets for UDP packets we @@ -513,7 +516,7 @@ iou_listener (void *arg) { /* This receives from an IOU instance */ bytes_received = read (sfd, buf, IOU_HDR_SIZE + MAX_MTU); - if (bytes_received == -1) + if (bytes_received <= 0) { log_error ("read"); break; @@ -536,6 +539,9 @@ iou_listener (void *arg) debug_log_fmt ("received %zd bytes for port %d (sfd=%d)\n", bytes_received, port, sfd); + if (bytes_received <= IOU_HDR_SIZE) + continue; + /* Send on the packet, minus the IOU header */ bytes_received -= IOU_HDR_SIZE;
Security audit handled by the openSUSE security team ( https://bugzilla.suse.com/show_bug.cgi?id=904060) found "the packet parsing is vulnerable to memory corruption:
bytes_received -= IOU_HDR_SIZE;
without checking that there are at least IOU_HDR_SIZE bytes, gives problems."
to follow the patch that should fix the issue. Please review and merge upstream.