Message ID | 1300671126.9043.8.camel@dan |
---|---|
State | Accepted, archived |
Delegated to: | David Miller |
Headers | show |
On Sun, 2011-03-20 at 21:32 -0400, Dan Rosenberg wrote: > Length fields provided by a peer for names and attributes may be longer > than the destination array sizes. Validate lengths to prevent stack > buffer overflows. > While this is the most serious bug I see, this function also seems to lack any validation against skb->len. If someone wants to take care of this, by all means...if not, I'll post a follow-up patch in the next day or so. -Dan > Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> > Cc: stable@kernel.org > --- > net/irda/iriap.c | 6 ++++++ > 1 files changed, 6 insertions(+), 0 deletions(-) > > diff --git a/net/irda/iriap.c b/net/irda/iriap.c > index 5b743bd..3647753 100644 > --- a/net/irda/iriap.c > +++ b/net/irda/iriap.c > @@ -656,10 +656,16 @@ static void iriap_getvaluebyclass_indication(struct iriap_cb *self, > n = 1; > > name_len = fp[n++]; > + > + IRDA_ASSERT(name_len < IAS_MAX_CLASSNAME + 1, return;); > + > memcpy(name, fp+n, name_len); n+=name_len; > name[name_len] = '\0'; > > attr_len = fp[n++]; > + > + IRDA_ASSERT(attr_len < IAS_MAX_ATTRIBNAME + 1, return;); > + > memcpy(attr, fp+n, attr_len); n+=attr_len; > attr[attr_len] = '\0'; > > -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
From: Dan Rosenberg <drosenberg@vsecurity.com> Date: Sun, 20 Mar 2011 21:32:06 -0400 > Length fields provided by a peer for names and attributes may be longer > than the destination array sizes. Validate lengths to prevent stack > buffer overflows. > > Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> > Cc: stable@kernel.org Applied. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/irda/iriap.c b/net/irda/iriap.c index 5b743bd..3647753 100644 --- a/net/irda/iriap.c +++ b/net/irda/iriap.c @@ -656,10 +656,16 @@ static void iriap_getvaluebyclass_indication(struct iriap_cb *self, n = 1; name_len = fp[n++]; + + IRDA_ASSERT(name_len < IAS_MAX_CLASSNAME + 1, return;); + memcpy(name, fp+n, name_len); n+=name_len; name[name_len] = '\0'; attr_len = fp[n++]; + + IRDA_ASSERT(attr_len < IAS_MAX_ATTRIBNAME + 1, return;); + memcpy(attr, fp+n, attr_len); n+=attr_len; attr[attr_len] = '\0';
Length fields provided by a peer for names and attributes may be longer than the destination array sizes. Validate lengths to prevent stack buffer overflows. Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> Cc: stable@kernel.org --- net/irda/iriap.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html