[scr265482] ip_tunnel.c

Wed, 23 Nov 2016 19:14:52 -0800 

Hi: 
        I found that the GRE tunnel in same case can cause integer overflow in 
ip_tunnel.c:397
   
Cause of the problem:
        When tpi->seq less than tunnel->i_seqno, the packet will be droped. 

How to recurrence problem
        1. Create an tunnel use kernel GRE module.
    2. Use the tunnel to send packets for awile.
    3.Reboot one site of the tunnel. 
    4. Communication interrupted 


                if (tunnel->parms.i_flags&TUNNEL_SEQ) {
                if (!(tpi->flags&TUNNEL_SEQ) ||
                    (tunnel->i_seqno && (s32)(ntohl(tpi->seq) - 
tunnel->i_seqno) < 0)) {    /**Here is the trouble code* /
                        tunnel->dev->stats.rx_fifo_errors++;
                        tunnel->dev->stats.rx_errors++;
                        goto drop;
                }
                tunnel->i_seqno = ntohl(tpi->seq) + 1;
        }
    
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> Integer Overflow in ip_tunnel.c in Ubuntu Linux kernel GRE ALL kernel 
> version allows attacker to Denial of Service via reboot one end of the 
> tunnel

Could you please clarify whether this affects only Ubuntu, or potentially 
affects other Linux distributions? ip_tunnel.c is present in the Linux kernel 
in all distributions and is maintained at:

  
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/log/net/ipv4/ip_tunnel.c

You should provide your evidence of an integer overflow, such as source code or 
crash tracing.

If you are reporting an Ubuntu issue, please see:

  https://wiki.ubuntu.com/SecurityTeam/FAQ#Contact

about how to file a Private Security bug in Launchpad.

If you are reporting an issue affecting the Linux kernel in general, please 
contact:

  secur...@kernel.org

You can also include:

  netdev@vger.kernel.org

if the report is public. If you need to subscribe, see:

  http://vger.kernel.org/vger-lists.html#netdev

- --
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available 
for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYNeETAAoJEHb/MwWLVhi26RcP/R38S6V0LFGPHOTFNjTapcnV
RPKycC/lOCGjQehDAUkhxxTwolJpJF3RWeI+KL/hOvxA+LP3B3YeYdoYnQyZ6SqI
8J+zz5vV5mCP3olKYynO4S32bBn8rZiwoWsFWPaC4ILmoQFTLZiDbH6ji3DrHewm
OwrTysyC1a7clOuIM3BaPl3Ra0qMHsgR2b16gYMEdi/B1Ya3oLY7MVLTB2AixA9F
BB/aQjFMICfchEF39uQslU3jJd+SPuayLvceiKIvqFqBt1D8Kt2rBamzMmI5MC3M
ZbVBNfXde1MxqlV2WjUzl8KFj2l1zG7IlH1rcRes+6ZI3VaJnbv9Jyi6oc9QzMQc
nFRg9sH/DzD3g40bh2zRBtLqkQeTxxkg3JvaFc2OC2MaxMiobQCso926d4pFxTmd
+x8wP7E/nKvd4+E09/bep/v0+mEOxfSDICNGO/7gBOU4wKZ6IyaNftfe5Q1zDaxv
M3vWI6VqTFx32wY7TE69AHIH7X7WvzsBi7BLj2RHGFg2hwS7n80A1t4BcdYjPdSh
feFxfVH5gGAaG3Bm4jJOCKe5+vRwuJGjnox2+vQvUrD9v+vx0z1D5ooO8Ms2MLnT
kKL7BKhcntcoLJ3TUI09I2HZBSh7R3homgFhgrpbDHd0YjaW6XgqHjAr8piKEToK
V6jChR0YzXTkTlw1jYlE
=z0ta
-----END PGP SIGNATURE-----

Reply via email to