From: Josh Hunt <joh...@akamai.com> Date: Wed, 13 Nov 2013 17:15:43 -0800
> The rds_ib_xmit function in net/rds/ib_send.c in the Reliable Datagram Sockets > (RDS) protocol implementation allows local users to cause a denial of service > (BUG_ON and kernel panic) by establishing an RDS connection with the source > IP address equal to the IPoIB interface's own IP address, as demonstrated by > rds-ping. > > A local unprivileged user could use this flaw to crash the system. > > CVE-2012-2372 > > Reported-by: Honggang Li <ho...@redhat.com> > Signed-off-by: Josh Hunt <joh...@akamai.com> I'm sorry I can't apply this. This commit message needs to be much less terse and explain things more. First of all, why is the "off % RDS_FRAG_SIZE" important? And, even more importantly, why is is OK to avoid this assertion just because we're going over loopback? Furthermore, why doesn't net/rds/iw_send.c:rds_iw_xmit() have the same exact problem? It makes the same exact assertion check. I know this RDS code is a steaming pile of poo, but that doesn't mean we just randomly adjust assertions to make crashes go away without sufficient understanding of exactly what's going on. Thanks. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
