aboutsummaryrefslogtreecommitdiffstats
path: root/net/atm/svc.c
diff options
context:
space:
mode:
authorChas Williams <chas@cmf.nrl.navy.mil>2008-12-04 17:58:13 -0500
committerDavid S. Miller <davem@davemloft.net>2008-12-04 17:58:13 -0500
commit17b24b3c97498935a2ef9777370b1151dfed3f6f (patch)
tree5b291b7069494889f375427448a30fde92332fcd /net/atm/svc.c
parent2cc002c4bbce4d918ab94b494d61c6991c907d5e (diff)
ATM: CVE-2008-5079: duplicate listen() on socket corrupts the vcc table
As reported by Hugo Dias that it is possible to cause a local denial of service attack by calling the svc_listen function twice on the same socket and reading /proc/net/atm/*vc Signed-off-by: Chas Williams <chas@cmf.nrl.navy.mil> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/atm/svc.c')
-rw-r--r--net/atm/svc.c6
1 files changed, 5 insertions, 1 deletions
diff --git a/net/atm/svc.c b/net/atm/svc.c
index de1e4f2f3a43..8fb54dc870b3 100644
--- a/net/atm/svc.c
+++ b/net/atm/svc.c
@@ -293,7 +293,10 @@ static int svc_listen(struct socket *sock,int backlog)
293 error = -EINVAL; 293 error = -EINVAL;
294 goto out; 294 goto out;
295 } 295 }
296 vcc_insert_socket(sk); 296 if (test_bit(ATM_VF_LISTEN, &vcc->flags)) {
297 error = -EADDRINUSE;
298 goto out;
299 }
297 set_bit(ATM_VF_WAITING, &vcc->flags); 300 set_bit(ATM_VF_WAITING, &vcc->flags);
298 prepare_to_wait(sk->sk_sleep, &wait, TASK_UNINTERRUPTIBLE); 301 prepare_to_wait(sk->sk_sleep, &wait, TASK_UNINTERRUPTIBLE);
299 sigd_enq(vcc,as_listen,NULL,NULL,&vcc->local); 302 sigd_enq(vcc,as_listen,NULL,NULL,&vcc->local);
@@ -307,6 +310,7 @@ static int svc_listen(struct socket *sock,int backlog)
307 goto out; 310 goto out;
308 } 311 }
309 set_bit(ATM_VF_LISTEN,&vcc->flags); 312 set_bit(ATM_VF_LISTEN,&vcc->flags);
313 vcc_insert_socket(sk);
310 sk->sk_max_ack_backlog = backlog > 0 ? backlog : ATM_BACKLOG_DEFAULT; 314 sk->sk_max_ack_backlog = backlog > 0 ? backlog : ATM_BACKLOG_DEFAULT;
311 error = -sk->sk_err; 315 error = -sk->sk_err;
312out: 316out: