Hi Alan, hi others,
when I was walking through af_ipx, it looks to me like that
(1) we never check whether ipx->ipx_pktsize is smaller or equal to received
frame length
(2) we never check in propagating NetBIOS packet whether buffer is
large enough
First problem can cause oops in ipx_recvmsg, if I did not oversight some
hidden check (but skb_copy_datagram_iovec does not do this check, so...).
Second problem can cause broadcast storms because of we cannot add
`this' network number into frame if data portion is zero length :-(
Code is lightly tested (i.e. ncpfs & ipxping still works). Please tell me,
whether ipx broadcast storms reports disappear after this patch.
Thanks,
Petr Vandrovec
[EMAIL PROTECTED]
--- linux-2.3.18-ac8.dist/net/ipx/af_ipx.c Tue Sep 7 19:20:11 1999
+++ linux/net/ipx/af_ipx.c Mon Sep 27 11:04:45 1999
@@ -744,7 +744,9 @@
if(ipx->ipx_type == IPX_TYPE_PPROP
&& ipx->ipx_tctrl < 8
- && skb->pkt_type != PACKET_OTHERHOST)
+ && skb->pkt_type != PACKET_OTHERHOST
+ /* header + 8 network numbers */
+ && ntohs(ipx->ipx_pktsize) >= sizeof(struct ipxhdr) + 8 * 4)
{
int i;
ipx_interface *ifcs;
@@ -2043,6 +2045,10 @@
/* Too small? */
if(ntohs(ipx->ipx_pktsize) < sizeof(struct ipxhdr))
+ goto drop;
+
+ /* Invalid header */
+ if(ntohs(ipx->ipx_pktsize) > skb->len)
goto drop;
/* Not ours */
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
