| Message ID | 1299602346-10982-1-git-send-email-sconklin@canonical.com |
|---|---|
| State | New |
| Headers | show |
On 03/08/2011 04:39 PM, Steve Conklin wrote: > BugLink: http://bugs.launchpad.net/bugs/731199 > > CVE-2010-4164 > > Now with improved comma support. > > On parsing malformed X.25 facilities, decrementing the remaining length > may cause it to underflow. Since the length is an unsigned integer, > this will result in the loop continuing until the kernel crashes. > > This patch adds checks to ensure decrementing the remaining length does > not cause it to wrap around. > > Signed-off-by: Dan Rosenberg<drosenberg@vsecurity.com> > Signed-off-by: David S. Miller<davem@davemloft.net> > (based on upstream commit 5ef41308f94dcbb3b7afc56cdef1c2ba53fa5d2f) > Signed-off-by: Steve Conklin<sconklin@canonical.com> > --- > net/x25/x25_facilities.c | 11 +++++++++-- > 1 files changed, 9 insertions(+), 2 deletions(-) > Acked-by: Tim Gardner <tim.gardner@canonical.com>
On Tue, 2011-03-08 at 16:45 +0000, Tim Gardner wrote: > On 03/08/2011 04:39 PM, Steve Conklin wrote: > > BugLink: http://bugs.launchpad.net/bugs/731199 > > > > CVE-2010-4164 > > > > Now with improved comma support. > > > > On parsing malformed X.25 facilities, decrementing the remaining length > > may cause it to underflow. Since the length is an unsigned integer, > > this will result in the loop continuing until the kernel crashes. > > > > This patch adds checks to ensure decrementing the remaining length does > > not cause it to wrap around. > > > > Signed-off-by: Dan Rosenberg<drosenberg@vsecurity.com> > > Signed-off-by: David S. Miller<davem@davemloft.net> > > (based on upstream commit 5ef41308f94dcbb3b7afc56cdef1c2ba53fa5d2f) > > Signed-off-by: Steve Conklin<sconklin@canonical.com> > > --- > > net/x25/x25_facilities.c | 11 +++++++++-- > > 1 files changed, 9 insertions(+), 2 deletions(-) > > > > Acked-by: Tim Gardner <tim.gardner@canonical.com> > > -- > Tim Gardner tim.gardner@canonical.com > Applied
diff --git a/net/x25/x25_facilities.c b/net/x25/x25_facilities.c index 54278b9..9650df4 100644 --- a/net/x25/x25_facilities.c +++ b/net/x25/x25_facilities.c @@ -43,6 +43,8 @@ int x25_parse_facilities(struct sk_buff *skb, while (len > 0) { switch (*p & X25_FAC_CLASS_MASK) { case X25_FAC_CLASS_A: + if (len < 2) + return 0; switch (*p) { case X25_FAC_REVERSE: if((p[1] & 0x81) == 0x81) { @@ -84,6 +86,8 @@ int x25_parse_facilities(struct sk_buff *skb, len -= 2; break; case X25_FAC_CLASS_B: + if (len < 3) + return 0; switch (*p) { case X25_FAC_PACKET_SIZE: facilities->pacsize_in = p[1]; @@ -105,6 +109,8 @@ int x25_parse_facilities(struct sk_buff *skb, len -= 3; break; case X25_FAC_CLASS_C: + if (len < 4) + return 0; printk(KERN_DEBUG "X.25: unknown facility %02X, " "values %02X, %02X, %02X\n", p[0], p[1], p[2], p[3]); @@ -112,9 +118,10 @@ int x25_parse_facilities(struct sk_buff *skb, len -= 4; break; case X25_FAC_CLASS_D: + if (len < p[1] + 2) + return 0; printk(KERN_DEBUG "X.25: unknown facility %02X, " - "length %d, values %02X, %02X, %02X, %02X\n", - p[0], p[1], p[2], p[3], p[4], p[5]); + "length %d\n", p[0], p[1]); len -= p[1] + 2; p += p[1] + 2; break;