From: Thomas Osterried (llksfnl@relay.tunkki.fi)
Date: Sun Aug 26 2001 - 17:08:43 EEST
there's an AX25 bug in linux kernel 2.4.x including the latest 2.4.9,
where the kernel crashes under special circumstances, when an AX25 SABM
arrives:
while direct connects are ok, connects from ax25 users coming via digipeaters
lead to kernel panic.
the bug is located in ax25_in.c ax25_rcv(),
where we copy for our ACK the reverse path to ax25->digipeat:
/* Reverse the source SABM's path */
memcpy(&ax25->digipeat, &reverse_dp, sizeof(ax25_digi));
this copies reverse_dp to a bad address. it should be
memcpy(ax25->digipeat, &reverse_dp, sizeof(ax25_digi));
this wrong copy leads to garbage, with the effekt that in ax25_send_control()
the part
if ((skb = alloc_skb(AX25_BPQ_HEADER_LEN + ax25_addr_size(ax25->digipeat) + 2, GFP_ATOMIC)) == NULL)
return;
causes a panic while computing the len with ax25_addr_size(ax25->digipeat).
thus, the following patch should solve the problem:
*** linux/net/ax25/ax25_in.c.bad Sat Jun 30 04:38:26 2001
--- linux/net/ax25/ax25_in.c Sun Aug 26 15:59:21 2001
***************
*** 431,437 ****
}
} else {
/* Reverse the source SABM's path */
! memcpy(&ax25->digipeat, &reverse_dp, sizeof(ax25_digi));
}
if ((*skb->data & ~AX25_PF) == AX25_SABME) {
--- 431,437 ----
}
} else {
/* Reverse the source SABM's path */
! memcpy(ax25->digipeat, &reverse_dp, sizeof(ax25_digi));
}
if ((*skb->data & ~AX25_PF) == AX25_SABME) {
73,
- thomas DL9SAU @ DB0TUD.#SAX.DEU.EU <jkij@kerailya.tunkki.fi>
-
To unsubscribe from this list: send the line "unsubscribe linux-hams" in
the body of a message to rxjlb.pskwdz@e-i.net
More majordomo info at http://vger.kernel.org/majordomo-info.html
This archive was generated by hypermail 2b30 : Sun Aug 26 2001 - 17:33:14 EEST