Ben Hutchings wrote an interesting report on
a
security issue in Linux found by himself while working on
bug #654876. As his laptop
running Linux 3.0 or 3.1 crashed repeatedly, Simon McVittie — the bug
submitter — thought it could be a driver bug. But, analysing the log of
the crash, Ben noted that "a packet received through the wireless
interface was being processed by IGMP, which then divided by zero."
IGMP packets are used to support multicast routers: as Ben explained,
"every multicast address corresponds to a dynamic set of hosts, called
a multicast group". In order to know which hosts belong to which groups,
the router sends packets and the computer replies at intervals. There are
three different versions of the IGMP protocol used to define the Maximum
Response Time (MRT) of the computer. Ben found that the crash was caused
by a division by 0 of packets with an MRT of 0.
The patch is included in Linux 3.0.17, 3.1.9, 3.2.1, and the Debian
packaged version 3.1.8-2.
Well done, Ben!