From: Dan Rosenberg <drosenberg@vsecurity.com>
To: ralf@linux-mips.org, davem@davemloft.net
Cc: netdev@vger.kernel.org, security@kernel.org
Subject: [PATCH] ROSE: prevent heap corruption with bad facilities
Date: Sat, 19 Mar 2011 19:28:33 -0400 [thread overview]
Message-ID: <1300577313.12507.17.camel@dan> (raw)
When parsing the FAC_NATIONAL_DIGIS facilities field, keeping the
counter field in an unsigned char is insufficient, since the counter is
incremented by AX25_ADDR_LEN (7) with each loop. Providing a field
length of 0xf, for example, causes heap corruption because the counter
wraps without ever reaching the length and data is copied past the
boundaries of the source_digis or dest_digis facilities arrays. Change
the counter to an unsigned ints to prevent this wrapping and overflow.
Additionally, when parsing the FAC_CCITT_DEST_NSAP and
FAC_CCITT_SRC_NSAP facilities fields, a length of less than 10 results
in an underflow in a memcpy size, resulting in a kernel panic due to
massive heap corruption. Abort facilities parsing on this invalid
length value.
Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: stable@kernel.org
---
net/rose/rose_subr.c | 12 +++++++++++-
1 files changed, 11 insertions(+), 1 deletions(-)
diff --git a/net/rose/rose_subr.c b/net/rose/rose_subr.c
index 1734abb..fee9de4 100644
--- a/net/rose/rose_subr.c
+++ b/net/rose/rose_subr.c
@@ -240,7 +240,8 @@ int rose_decode(struct sk_buff *skb, int *ns, int *nr, int *q, int *d, int *m)
static int rose_parse_national(unsigned char *p, struct rose_facilities_struct *facilities, int len)
{
unsigned char *pt;
- unsigned char l, lg, n = 0;
+ unsigned char l, n = 0;
+ unsigned int lg;
int fac_national_digis_received = 0;
do {
@@ -334,12 +335,16 @@ static int rose_parse_ccitt(unsigned char *p, struct rose_facilities_struct *fac
case 0xC0:
l = p[1];
if (*p == FAC_CCITT_DEST_NSAP) {
+ if (l < 10)
+ return -1;
memcpy(&facilities->source_addr, p + 7, ROSE_ADDR_LEN);
memcpy(callsign, p + 12, l - 10);
callsign[l - 10] = '\0';
asc2ax(&facilities->source_call, callsign);
}
if (*p == FAC_CCITT_SRC_NSAP) {
+ if (l < 10)
+ return -1;
memcpy(&facilities->dest_addr, p + 7, ROSE_ADDR_LEN);
memcpy(callsign, p + 12, l - 10);
callsign[l - 10] = '\0';
@@ -379,6 +384,11 @@ int rose_parse_facilities(unsigned char *p,
case FAC_CCITT: /* CCITT */
len = rose_parse_ccitt(p + 1, facilities, facilities_len - 1);
+
+ /* Invalid facilities */
+ if (len < 0)
+ return 0;
+
facilities_len -= len + 1;
p += len + 1;
break;
next reply other threads:[~2011-03-19 23:35 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-03-19 23:28 Dan Rosenberg [this message]
2011-03-20 6:03 ` [PATCH] ROSE: prevent heap corruption with bad facilities Dan Rosenberg
2011-03-20 6:07 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1300577313.12507.17.camel@dan \
--to=drosenberg@vsecurity.com \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=ralf@linux-mips.org \
--cc=security@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.