> Just tested, 2.2.5 - 2.2.10 at the least are vulnerable.
i've attached a quick patch against 2.2.10 that at least prevents the box
from crashing, but this is a completely incorrect fix. I've been running
the exploit for some 15 minutes now without crashing.
The bug appears to be that a TCP localhost bind bucket disappears
mysteriously from under a living socket - thus tcp_bindify() within
tcp_ipv4_rehash finds no bucket and crashes on a NULL ptr. I've also
hacked unbindify to ignore not bound sockets - an obvious side-effect of
the first hack. Anyway, with this hack my box doesnt crash anymore from
the exploit - better than nothing. Maybe the Cc:-ed TCP gods have a better
idea what is really going on? :)
-- mingo
--- linux/include/net/tcp.h.orig Fri Jun 18 23:47:32 1999
+++ linux/include/net/tcp.h Sat Jun 19 00:01:58 1999
@@ -120,8 +120,10 @@
struct tcp_bind_bucket *tb;
unsigned short snum = sk->num;
- for(tb = tcp_bhash[tcp_bhashfn(snum)]; tb->port != snum; tb = tb->next)
+ for(tb = tcp_bhash[tcp_bhashfn(snum)]; tb && (tb->port != snum); tb = tb->next)
;
+ if (!tb)
+ return; // HACK
/* Update bucket flags. */
if(tb->owners == NULL) {
/* We're the first. */
@@ -1073,6 +1075,8 @@
static __inline__ void tcp_sk_unbindify(struct sock *sk)
{
struct tcp_bind_bucket *tb = (struct tcp_bind_bucket *) sk->prev;
+ if (!sk->bind_pprev)
+ return; // HACK
if(sk->bind_next)
sk->bind_next->bind_pprev = sk->bind_pprev;
*sk->bind_pprev = sk->bind_next;
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/