Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 17b24b3c authored by Chas Williams's avatar Chas Williams Committed by David S. Miller
Browse files

ATM: CVE-2008-5079: duplicate listen() on socket corrupts the vcc table



As reported by Hugo Dias that it is possible to cause a local denial
of service attack by calling the svc_listen function twice on the same
socket and reading /proc/net/atm/*vc

Signed-off-by: default avatarChas Williams <chas@cmf.nrl.navy.mil>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 2cc002c4
Loading
Loading
Loading
Loading
+5 −1
Original line number Diff line number Diff line
@@ -293,7 +293,10 @@ static int svc_listen(struct socket *sock,int backlog)
		error = -EINVAL;
		goto out;
	}
	vcc_insert_socket(sk);
	if (test_bit(ATM_VF_LISTEN, &vcc->flags)) {
		error = -EADDRINUSE;
		goto out;
        }
	set_bit(ATM_VF_WAITING, &vcc->flags);
	prepare_to_wait(sk->sk_sleep, &wait, TASK_UNINTERRUPTIBLE);
	sigd_enq(vcc,as_listen,NULL,NULL,&vcc->local);
@@ -307,6 +310,7 @@ static int svc_listen(struct socket *sock,int backlog)
		goto out;
	}
	set_bit(ATM_VF_LISTEN,&vcc->flags);
	vcc_insert_socket(sk);
	sk->sk_max_ack_backlog = backlog > 0 ? backlog : ATM_BACKLOG_DEFAULT;
	error = -sk->sk_err;
out: