[SECURITY,2.4,IPV6]: Fix infinite loop in udp_v6_get_port().

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



    [IPV6]: Fix infinite loop in udp_v6_get_port()
    
    This is CVE-2005-2973, and
    87bf9c97b4b3af8dec7b2b79cdfe7bfc0a0a03b2 in Linus' 2.6 Git Tree.
    It seems to be relevant to 2.4
    
    [IPV6]: Fix infinite loop in udp_v6_get_port()
    
    Original sign-off
    
    Signed-off-by: YOSHIFUJI Hideaki <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>
    
    Mine, indicating that I think it is relevant to 2.4
    
    Signed-off-by: Horms <[email protected]>

diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
index 471180b..4395aa4 100644
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -89,7 +89,7 @@ static int udp_v6_get_port(struct sock *
 		next:;
 		}
 		result = best;
-		for(;; result += UDP_HTABLE_SIZE) {
+		for(i = 0; i < (1 << 16) / UDP_HTABLE_SIZE; i++, result += UDP_HTABLE_SIZE) {
 			if (result > sysctl_local_port_range[1])
 				result = sysctl_local_port_range[0]
 					+ ((result - sysctl_local_port_range[0]) &
@@ -97,6 +97,8 @@ static int udp_v6_get_port(struct sock *
 			if (!udp_lport_inuse(result))
 				break;
 		}
+		if (i >= (1 << 16) / UDP_HTABLE_SIZE)
+			goto fail;
 gotit:
 		udp_port_rover = snum = result;
 	} else {
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux