Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
tjh.dev
kernel
os
linux
ATM: CVE-2008-5079: duplicate listen() on socket corrupts the vcc table
As reported by Hugo Dias that it is possible to cause a local denial
of service attack by calling the svc_listen function twice on the same
socket and reading /proc/net/atm/*vc
Signed-off-by: Chas Williams <chas@cmf.nrl.navy.mil>
Signed-off-by: David S. Miller <davem@davemloft.net>
authored by
Chas Williams
and committed by
David S. Miller
17b24b3c
2cc002c4
+5
-1
net/atm/svc.c
+5
-1
net/atm/svc.c
···
293
error = -EINVAL;
294
goto out;
295
}
296
-
vcc_insert_socket(sk);
297
set_bit(ATM_VF_WAITING, &vcc->flags);
298
prepare_to_wait(sk->sk_sleep, &wait, TASK_UNINTERRUPTIBLE);
299
sigd_enq(vcc,as_listen,NULL,NULL,&vcc->local);
···
310
goto out;
311
}
312
set_bit(ATM_VF_LISTEN,&vcc->flags);
313
sk->sk_max_ack_backlog = backlog > 0 ? backlog : ATM_BACKLOG_DEFAULT;
314
error = -sk->sk_err;
315
out:
···
293
error = -EINVAL;
294
goto out;
295
}
296
+
if (test_bit(ATM_VF_LISTEN, &vcc->flags)) {
297
+
error = -EADDRINUSE;
298
+
goto out;
299
+
}
300
set_bit(ATM_VF_WAITING, &vcc->flags);
301
prepare_to_wait(sk->sk_sleep, &wait, TASK_UNINTERRUPTIBLE);
302
sigd_enq(vcc,as_listen,NULL,NULL,&vcc->local);
···
307
goto out;
308
}
309
set_bit(ATM_VF_LISTEN,&vcc->flags);
310
+
vcc_insert_socket(sk);
311
sk->sk_max_ack_backlog = backlog > 0 ? backlog : ATM_BACKLOG_DEFAULT;
312
error = -sk->sk_err;
313
out: