Message ID | 1299599165-10049-1-git-send-email-sconklin@canonical.com |
---|---|
State | New |
Headers | show |
On 03/08/2011 03:46 PM, Steve Conklin wrote: > BugLink: http://bugs.launchpad.net/bugs/731199 > > CVE-2010-4164 > > Now with improved comma support. > > On parsing malformed X.25 facilities, decrementing the remaining length > may cause it to underflow. Since the length is an unsigned integer, > this will result in the loop continuing until the kernel crashes. > > This patch adds checks to ensure decrementing the remaining length does > not cause it to wrap around. > > Signed-off-by: Dan Rosenberg<drosenberg@vsecurity.com> > Signed-off-by: David S. Miller<davem@davemloft.net> > (based on upstream commit 5ef41308f94dcbb3b7afc56cdef1c2ba53fa5d2f) > Signed-off-by: Steve Conklin<sconklin@canonical.com> > --- > net/x25/x25_facilities.c | 8 ++++++++ > 1 files changed, 8 insertions(+), 0 deletions(-) > > diff --git a/net/x25/x25_facilities.c b/net/x25/x25_facilities.c > index 54278b9..2af5e45 100644 > --- a/net/x25/x25_facilities.c > +++ b/net/x25/x25_facilities.c > @@ -43,6 +43,8 @@ int x25_parse_facilities(struct sk_buff *skb, > while (len> 0) { > switch (*p& X25_FAC_CLASS_MASK) { > case X25_FAC_CLASS_A: > + if (len< 2) > + return 0; > switch (*p) { > case X25_FAC_REVERSE: > if((p[1]& 0x81) == 0x81) { > @@ -84,6 +86,8 @@ int x25_parse_facilities(struct sk_buff *skb, > len -= 2; > break; > case X25_FAC_CLASS_B: > + if (len< 3) > + return 0; > switch (*p) { > case X25_FAC_PACKET_SIZE: > facilities->pacsize_in = p[1]; > @@ -105,6 +109,8 @@ int x25_parse_facilities(struct sk_buff *skb, > len -= 3; > break; > case X25_FAC_CLASS_C: > + if (len< 4) > + return 0; > printk(KERN_DEBUG "X.25: unknown facility %02X, " > "values %02X, %02X, %02X\n", > p[0], p[1], p[2], p[3]); > @@ -112,6 +118,8 @@ int x25_parse_facilities(struct sk_buff *skb, > len -= 4; > break; > case X25_FAC_CLASS_D: > + if (len< p[1] + 2) > + return 0; > printk(KERN_DEBUG "X.25: unknown facility %02X, " > "length %d, values %02X, %02X, %02X, %02X\n", > p[0], p[1], p[2], p[3], p[4], p[5]); Seems like you missed part of the upstream patch: - "length %d, values %02X, %02X, " - "%02X, %02X\n", - p[0], p[1], p[2], p[3], p[4], p[5]); + "length %d\n", p[0], p[1]);
diff --git a/net/x25/x25_facilities.c b/net/x25/x25_facilities.c index 54278b9..2af5e45 100644 --- a/net/x25/x25_facilities.c +++ b/net/x25/x25_facilities.c @@ -43,6 +43,8 @@ int x25_parse_facilities(struct sk_buff *skb, while (len > 0) { switch (*p & X25_FAC_CLASS_MASK) { case X25_FAC_CLASS_A: + if (len < 2) + return 0; switch (*p) { case X25_FAC_REVERSE: if((p[1] & 0x81) == 0x81) { @@ -84,6 +86,8 @@ int x25_parse_facilities(struct sk_buff *skb, len -= 2; break; case X25_FAC_CLASS_B: + if (len < 3) + return 0; switch (*p) { case X25_FAC_PACKET_SIZE: facilities->pacsize_in = p[1]; @@ -105,6 +109,8 @@ int x25_parse_facilities(struct sk_buff *skb, len -= 3; break; case X25_FAC_CLASS_C: + if (len < 4) + return 0; printk(KERN_DEBUG "X.25: unknown facility %02X, " "values %02X, %02X, %02X\n", p[0], p[1], p[2], p[3]); @@ -112,6 +118,8 @@ int x25_parse_facilities(struct sk_buff *skb, len -= 4; break; case X25_FAC_CLASS_D: + if (len < p[1] + 2) + return 0; printk(KERN_DEBUG "X.25: unknown facility %02X, " "length %d, values %02X, %02X, %02X, %02X\n", p[0], p[1], p[2], p[3], p[4], p[5]);