Patchwork [lucid/fsl-imx51,CVE,1/3] rose_loopback_timer sets VC number <= ROSE_DEFAULT_MAXVC

login
register
mail settings
Submitter Andy Whitcroft
Date July 28, 2011, 10:05 a.m.
Message ID <1311847535-23096-5-git-send-email-apw@canonical.com>
Download mbox | patch
Permalink /patch/107229/
State New
Headers show

Comments

Andy Whitcroft - July 28, 2011, 10:05 a.m.
From: Bernard Pidoux F6BVP <f6bvp@free.fr>

cat /proc/net/rose displayed a rose sockets abnormal lci value, i.e.
greater than maximum number of VCs per neighbour allowed.
This number prevents further test of lci value during rose operations.

Example (lines shortened) :
[bernard]# cat /proc/net/rose
dest_addr  dest_call src_addr   src_call  dev   lci neigh st vs vr va
*          *         2080175520 F6BVP-1   rose0 000 00000  0  0  0  0
2080175520 FPAD-0    2080175520 WP-0      rose0 FFE 00001  3  0  0  0

Here are the default parameters :

linux/include/net/rose.h:#define ROSE_DEFAULT_MAXVC 50 /* Maximum number of VCs per neighbour */
linux/net/rose/af_rose.c:int sysctl_rose_maximum_vcs = ROSE_DEFAULT_MAXVC;

With the following patch, rose_loopback_timer() attributes a VC number
within limits.

Signed-off-by: Bernard Pidoux <f6bvp@amsat.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

(cherry picked from commit 1f731b63752dac76ff4dbf568a08ff2e3663316f)
CVE-2011-1493
BugLink: http://bugs.launchpad.net/bugs/816550
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
 net/rose/rose_loopback.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

Patch

diff --git a/net/rose/rose_loopback.c b/net/rose/rose_loopback.c
index 114df6e..968e8ba 100644
--- a/net/rose/rose_loopback.c
+++ b/net/rose/rose_loopback.c
@@ -75,7 +75,7 @@  static void rose_loopback_timer(unsigned long param)
 		lci_i     = ((skb->data[0] << 8) & 0xF00) + ((skb->data[1] << 0) & 0x0FF);
 		frametype = skb->data[2];
 		dest      = (rose_address *)(skb->data + 4);
-		lci_o     = 0xFFF - lci_i;
+		lci_o     = ROSE_DEFAULT_MAXVC + 1 - lci_i;
 
 		skb_reset_transport_header(skb);