I found this in all 2.2.x kernels, and it might possibly be present in 2.4.x too... When receiving file descriptors via recvmsg(), scm_detach_fds() in net/core/scm.c can overflow user space data at msg_control if msg_controllen is less than sizeof(struct cmsghdr). This is a security problem. Attached is a patch to fix the problem and a little program to demonstrate the problem. Phil.
- Re: 2.2.x BUG & PATCH: recvmsg() does not check msg_co... Philippe Troin
- Re: 2.2.x BUG & PATCH: recvmsg() does not check m... David S. Miller
- Re: 2.2.x BUG & PATCH: recvmsg() does not che... Philippe Troin