Patchwork [maverick/ti-omap4,CVE,1/1] memory corruption in X.25 facilities parsing

login
register
mail settings
Submitter Andy Whitcroft
Date Oct. 4, 2011, 10:58 a.m.
Message ID <1317725887-19677-2-git-send-email-apw@canonical.com>
Download mbox | patch
Permalink /patch/117598/
State New
Headers show

Comments

Andy Whitcroft - Oct. 4, 2011, 10:58 a.m.
From: andrew hendry <andrew.hendry@gmail.com>

Signed-of-by: Andrew Hendry <andrew.hendry@gmail.com>

Signed-off-by: David S. Miller <davem@davemloft.net>

(cherry picked from commit a6331d6f9a4298173b413cf99a40cc86a9d92c37)
CVE-2010-3873
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
 net/x25/x25_facilities.c |    8 ++++----
 net/x25/x25_in.c         |    2 ++
 2 files changed, 6 insertions(+), 4 deletions(-)
Stefan Bader - Oct. 4, 2011, 11:39 a.m.
On 04.10.2011 12:58, Andy Whitcroft wrote:
> From: andrew hendry <andrew.hendry@gmail.com>
> 
> Signed-of-by: Andrew Hendry <andrew.hendry@gmail.com>
> 
> Signed-off-by: David S. Miller <davem@davemloft.net>
> 
> (cherry picked from commit a6331d6f9a4298173b413cf99a40cc86a9d92c37)
> CVE-2010-3873
> Signed-off-by: Andy Whitcroft <apw@canonical.com>
> ---
>  net/x25/x25_facilities.c |    8 ++++----
>  net/x25/x25_in.c         |    2 ++
>  2 files changed, 6 insertions(+), 4 deletions(-)
> 
> diff --git a/net/x25/x25_facilities.c b/net/x25/x25_facilities.c
> index 8f15284..55187c8 100644
> --- a/net/x25/x25_facilities.c
> +++ b/net/x25/x25_facilities.c
> @@ -142,15 +142,15 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
>  				return 0;
>  			switch (*p) {
>  			case X25_FAC_CALLING_AE:
> -				if (p[1] > X25_MAX_DTE_FACIL_LEN)
> -					break;
> +				if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1)
> +					return 0;
>  				dte_facs->calling_len = p[2];
>  				memcpy(dte_facs->calling_ae, &p[3], p[1] - 1);
>  				*vc_fac_mask |= X25_MASK_CALLING_AE;
>  				break;
>  			case X25_FAC_CALLED_AE:
> -				if (p[1] > X25_MAX_DTE_FACIL_LEN)
> -					break;
> +				if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1)
> +					return 0;
>  				dte_facs->called_len = p[2];
>  				memcpy(dte_facs->called_ae, &p[3], p[1] - 1);
>  				*vc_fac_mask |= X25_MASK_CALLED_AE;
> diff --git a/net/x25/x25_in.c b/net/x25/x25_in.c
> index 6317896..f729f02 100644
> --- a/net/x25/x25_in.c
> +++ b/net/x25/x25_in.c
> @@ -119,6 +119,8 @@ static int x25_state1_machine(struct sock *sk, struct sk_buff *skb, int frametyp
>  						&x25->vc_facil_mask);
>  			if (len > 0)
>  				skb_pull(skb, len);
> +			else
> +				return -1;
>  			/*
>  			 *	Copy any Call User Data.
>  			 */

Sometimes upstream is overly verbose... Anyways, clean pick, is in other
releases and simple.

Acked-by: Stefan Bader <smb@canonical.com>
Tim Gardner - Oct. 4, 2011, 1:10 p.m.
On 10/04/2011 04:58 AM, Andy Whitcroft wrote:
> From: andrew hendry<andrew.hendry@gmail.com>
>
> Signed-of-by: Andrew Hendry<andrew.hendry@gmail.com>
>
> Signed-off-by: David S. Miller<davem@davemloft.net>
>
> (cherry picked from commit a6331d6f9a4298173b413cf99a40cc86a9d92c37)
> CVE-2010-3873
> Signed-off-by: Andy Whitcroft<apw@canonical.com>
> ---
>   net/x25/x25_facilities.c |    8 ++++----
>   net/x25/x25_in.c         |    2 ++
>   2 files changed, 6 insertions(+), 4 deletions(-)
>
> diff --git a/net/x25/x25_facilities.c b/net/x25/x25_facilities.c
> index 8f15284..55187c8 100644
> --- a/net/x25/x25_facilities.c
> +++ b/net/x25/x25_facilities.c
> @@ -142,15 +142,15 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
>   				return 0;
>   			switch (*p) {
>   			case X25_FAC_CALLING_AE:
> -				if (p[1]>  X25_MAX_DTE_FACIL_LEN)
> -					break;
> +				if (p[1]>  X25_MAX_DTE_FACIL_LEN || p[1]<= 1)
> +					return 0;
>   				dte_facs->calling_len = p[2];
>   				memcpy(dte_facs->calling_ae,&p[3], p[1] - 1);
>   				*vc_fac_mask |= X25_MASK_CALLING_AE;
>   				break;
>   			case X25_FAC_CALLED_AE:
> -				if (p[1]>  X25_MAX_DTE_FACIL_LEN)
> -					break;
> +				if (p[1]>  X25_MAX_DTE_FACIL_LEN || p[1]<= 1)
> +					return 0;
>   				dte_facs->called_len = p[2];
>   				memcpy(dte_facs->called_ae,&p[3], p[1] - 1);
>   				*vc_fac_mask |= X25_MASK_CALLED_AE;
> diff --git a/net/x25/x25_in.c b/net/x25/x25_in.c
> index 6317896..f729f02 100644
> --- a/net/x25/x25_in.c
> +++ b/net/x25/x25_in.c
> @@ -119,6 +119,8 @@ static int x25_state1_machine(struct sock *sk, struct sk_buff *skb, int frametyp
>   						&x25->vc_facil_mask);
>   			if (len>  0)
>   				skb_pull(skb, len);
> +			else
> +				return -1;
>   			/*
>   			 *	Copy any Call User Data.
>   			 */

I presume this is BugLink: http://bugs.launchpad.net/bugs/709372 ?

Patch

diff --git a/net/x25/x25_facilities.c b/net/x25/x25_facilities.c
index 8f15284..55187c8 100644
--- a/net/x25/x25_facilities.c
+++ b/net/x25/x25_facilities.c
@@ -142,15 +142,15 @@  int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
 				return 0;
 			switch (*p) {
 			case X25_FAC_CALLING_AE:
-				if (p[1] > X25_MAX_DTE_FACIL_LEN)
-					break;
+				if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1)
+					return 0;
 				dte_facs->calling_len = p[2];
 				memcpy(dte_facs->calling_ae, &p[3], p[1] - 1);
 				*vc_fac_mask |= X25_MASK_CALLING_AE;
 				break;
 			case X25_FAC_CALLED_AE:
-				if (p[1] > X25_MAX_DTE_FACIL_LEN)
-					break;
+				if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1)
+					return 0;
 				dte_facs->called_len = p[2];
 				memcpy(dte_facs->called_ae, &p[3], p[1] - 1);
 				*vc_fac_mask |= X25_MASK_CALLED_AE;
diff --git a/net/x25/x25_in.c b/net/x25/x25_in.c
index 6317896..f729f02 100644
--- a/net/x25/x25_in.c
+++ b/net/x25/x25_in.c
@@ -119,6 +119,8 @@  static int x25_state1_machine(struct sock *sk, struct sk_buff *skb, int frametyp
 						&x25->vc_facil_mask);
 			if (len > 0)
 				skb_pull(skb, len);
+			else
+				return -1;
 			/*
 			 *	Copy any Call User Data.
 			 */