- Netlink source address validation allows DoS
bugfix for recvfrom check from bnc#761200 OBS-URL: https://build.opensuse.org/package/show/Virtualization/hyper-v?expand=0&rev=37
This commit is contained in:
Git OBS Bridge
parent
c88432d5de
commit
2c3d70cfcb
@ -1,3 +1,9 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Nov 8 14:30:05 CET 2012 - ohering@suse.de
|
||||
|
||||
- Netlink source address validation allows DoS
|
||||
bugfix for recvfrom check from bnc#761200
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Oct 26 17:13:40 CEST 2012 - ohering@suse.de
|
||||
|
||||
|
||||
@ -55,6 +55,7 @@ Source21: hyper-v.tools.hv.hv_get_dns_info.sh
|
||||
Source22: hyper-v.tools.hv.hv_set_ifconfig.sh
|
||||
Patch0: full-kernel-version.patch
|
||||
Patch1: no-loopback.patch
|
||||
Patch2: hyper-v.tools.hv.hv_kvp_daemon.netlink-spoof-DoS.patch
|
||||
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
%if %{with_kmp}
|
||||
@ -91,6 +92,7 @@ cp -vL %{S:9} %{hv_kvp_daemon}.h
|
||||
cp -vL %{S:10} %{hv_kvp_daemon}.c
|
||||
%patch0 -p3
|
||||
%patch1 -p3
|
||||
%patch2 -p3
|
||||
|
||||
%build
|
||||
sed -i~ '/#include <linux.hyperv.h>/d' %{hv_kvp_daemon}.c
|
||||
|
||||
43
hyper-v.tools.hv.hv_kvp_daemon.netlink-spoof-DoS.patch
Normal file
43
hyper-v.tools.hv.hv_kvp_daemon.netlink-spoof-DoS.patch
Normal file
@ -0,0 +1,43 @@
|
||||
From: Tomas Hozza <thozza@redhat.com>
|
||||
Subject: [PATCH] tools: hv: Netlink source address validation allows DoS
|
||||
Date: Thu, 8 Nov 2012 10:53:29 +0100
|
||||
Message-Id: <1352368409-18809-1-git-send-email-thozza@redhat.com>
|
||||
|
||||
The source code without this patch caused hypervkvpd to exit when it processed
|
||||
a spoofed Netlink packet which has been sent from an untrusted local user.
|
||||
Now Netlink messages with a non-zero nl_pid source address are ignored
|
||||
and a warning is printed into the syslog.
|
||||
|
||||
Signed-off-by: Tomas Hozza <thozza@redhat.com>
|
||||
---
|
||||
tools/hv/hv_kvp_daemon.c | 8 +++++++-
|
||||
1 file changed, 7 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/tools/hv/hv_kvp_daemon.c b/tools/hv/hv_kvp_daemon.c
|
||||
index 13c2a14..c1d9102 100755
|
||||
--- a/tools/hv/hv_kvp_daemon.c
|
||||
+++ b/tools/hv/hv_kvp_daemon.c
|
||||
@@ -1486,13 +1486,19 @@ int main(void)
|
||||
len = recvfrom(fd, kvp_recv_buffer, sizeof(kvp_recv_buffer), 0,
|
||||
addr_p, &addr_l);
|
||||
|
||||
- if (len < 0 || addr.nl_pid) {
|
||||
+ if (len < 0) {
|
||||
syslog(LOG_ERR, "recvfrom failed; pid:%u error:%d %s",
|
||||
addr.nl_pid, errno, strerror(errno));
|
||||
close(fd);
|
||||
return -1;
|
||||
}
|
||||
|
||||
+ if (addr.nl_pid) {
|
||||
+ syslog(LOG_WARNING, "Received packet from untrusted pid:%u",
|
||||
+ addr.nl_pid);
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
incoming_msg = (struct nlmsghdr *)kvp_recv_buffer;
|
||||
incoming_cn_msg = (struct cn_msg *)NLMSG_DATA(incoming_msg);
|
||||
hv_msg = (struct hv_kvp_msg *)incoming_cn_msg->data;
|
||||
--
|
||||
1.7.11.7
|
||||
|
||||
Loading…
Reference in New Issue
Block a user