From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: stable-review@kernel.org, torvalds@linux-foundation.org,
akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk,
Dan Rosenberg <drosenberg@vsecurity.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [42/44] x25: Prevent crashing when parsing bad X.25 facilities
Date: Tue, 07 Dec 2010 16:04:41 -0800 [thread overview]
Message-ID: <20101208000643.820922980@clark.site> (raw)
In-Reply-To: <20101208003205.GA4286@kroah.com>
2.6.27-stable review patch. If anyone has any objections, please let us know.
------------------
From: Dan Rosenberg <drosenberg@vsecurity.com>
commit 5ef41308f94dcbb3b7afc56cdef1c2ba53fa5d2f upstream.
Now with improved comma support.
On parsing malformed X.25 facilities, decrementing the remaining length
may cause it to underflow. Since the length is an unsigned integer,
this will result in the loop continuing until the kernel crashes.
This patch adds checks to ensure decrementing the remaining length does
not cause it to wrap around.
Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
net/x25/x25_facilities.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
--- a/net/x25/x25_facilities.c
+++ b/net/x25/x25_facilities.c
@@ -61,6 +61,8 @@ int x25_parse_facilities(struct sk_buff
while (len > 0) {
switch (*p & X25_FAC_CLASS_MASK) {
case X25_FAC_CLASS_A:
+ if (len < 2)
+ return 0;
switch (*p) {
case X25_FAC_REVERSE:
if((p[1] & 0x81) == 0x81) {
@@ -104,6 +106,8 @@ int x25_parse_facilities(struct sk_buff
len -= 2;
break;
case X25_FAC_CLASS_B:
+ if (len < 3)
+ return 0;
switch (*p) {
case X25_FAC_PACKET_SIZE:
facilities->pacsize_in = p[1];
@@ -125,6 +129,8 @@ int x25_parse_facilities(struct sk_buff
len -= 3;
break;
case X25_FAC_CLASS_C:
+ if (len < 4)
+ return 0;
printk(KERN_DEBUG "X.25: unknown facility %02X, "
"values %02X, %02X, %02X\n",
p[0], p[1], p[2], p[3]);
@@ -132,6 +138,8 @@ int x25_parse_facilities(struct sk_buff
len -= 4;
break;
case X25_FAC_CLASS_D:
+ if (len < p[1] + 2)
+ return 0;
switch (*p) {
case X25_FAC_CALLING_AE:
if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1)
@@ -149,9 +157,7 @@ int x25_parse_facilities(struct sk_buff
break;
default:
printk(KERN_DEBUG "X.25: unknown facility %02X,"
- "length %d, values %02X, %02X, "
- "%02X, %02X\n",
- p[0], p[1], p[2], p[3], p[4], p[5]);
+ "length %d\n", p[0], p[1]);
break;
}
len -= p[1] + 2;
next prev parent reply other threads:[~2010-12-08 0:36 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-12-08 0:32 [00/44] 2.6.27.57-stable review Greg KH
2010-12-08 0:04 ` [01/44] block: check for proper length of iov entries in blk_rq_map_user_iov() Greg KH
2010-12-08 0:04 ` [02/44] irda: Fix parameter extraction stack overflow Greg KH
2010-12-08 0:04 ` [03/44] irda: Fix heap memory corruption in iriap.c Greg KH
2010-12-08 0:04 ` [04/44] percpu: fix list_head init bug in __percpu_counter_init() Greg KH
2010-12-08 0:04 ` [05/44] um: fix global timer issue when using CONFIG_NO_HZ Greg KH
2010-12-08 0:04 ` [06/44] numa: fix slab_node(MPOL_BIND) Greg KH
2010-12-08 3:03 ` Lee Schermerhorn
2010-12-08 3:03 ` Lee Schermerhorn
2010-12-08 4:17 ` Greg KH
2010-12-08 4:37 ` Eric Dumazet
2010-12-08 13:54 ` Lee Schermerhorn
2010-12-08 4:33 ` Eric Dumazet
2010-12-08 5:07 ` Eric Dumazet
2010-12-08 13:53 ` Lee Schermerhorn
2010-12-08 0:04 ` [07/44] mm: fix return value of scan_lru_pages in memory unplug Greg KH
2010-12-08 0:04 ` [08/44] mm: fix is_mem_section_removable() page_order BUG_ON check Greg KH
2010-12-08 0:04 ` [09/44] ipc: initialize structure memory to zero for compat functions Greg KH
2010-12-08 0:04 ` [10/44] ipc: shm: fix information leak to userland Greg KH
2010-12-08 0:04 ` [11/44] sys_semctl: fix kernel stack leakage Greg KH
2010-12-08 0:04 ` [12/44] drivers/char/vt_ioctl.c: fix VT_OPENQRY error value Greg KH
2010-12-08 0:04 ` [13/44] eCryptfs: Clear LOOKUP_OPEN flag when creating lower file Greg KH
2010-12-08 0:04 ` [14/44] bio: take care not overflow page count when mapping/copying user data Greg KH
2010-12-08 0:04 ` [15/44] libata: fix NULL sdev dereference race in atapi_qc_complete() Greg KH
2010-12-08 0:04 ` [16/44] usb: misc: sisusbvga: fix information leak to userland Greg KH
2010-12-08 0:04 ` [17/44] usb: misc: iowarrior: " Greg KH
2010-12-08 0:04 ` [18/44] usb: core: " Greg KH
2010-12-08 0:04 ` [19/44] USB: EHCI: fix obscure race in ehci_endpoint_disable Greg KH
2010-12-08 0:04 ` [20/44] USB: storage: sierra_ms: fix sysfs file attribute Greg KH
2010-12-08 0:04 ` [21/44] USB: atm: ueagle-atm: fix up some permissions on the sysfs files Greg KH
2010-12-08 0:04 ` [22/44] USB: misc: cypress_cy7c63: fix up some sysfs attribute permissions Greg KH
2010-12-08 0:04 ` [23/44] USB: misc: usbled: " Greg KH
2010-12-08 0:04 ` [24/44] USB: misc: trancevibrator: fix up a sysfs attribute permission Greg KH
2010-12-08 0:04 ` [25/44] acpi-cpufreq: fix a memleak when unloading driver Greg KH
2010-12-08 0:04 ` [26/44] do_exit(): make sure that we run with get_fs() == USER_DS Greg KH
2010-12-08 0:04 ` [27/44] DECnet: dont leak uninitialized stack byte Greg KH
2010-12-08 0:04 ` [28/44] ARM: 6482/2: Fix find_next_zero_bit and related assembly Greg KH
2010-12-08 0:04 ` [29/44] net: clear heap allocations for privileged ethtool actions Greg KH
2010-12-08 0:04 ` [30/44] xfrm4: strip ECN and IP Precedence bits in policy lookup Greg KH
2010-12-08 0:04 ` [31/44] net: Fix IPv6 PMTU disc. w/ asymmetric routes Greg KH
2010-12-08 0:04 ` [32/44] rose: Fix signedness issues wrt. digi count Greg KH
2010-12-08 0:04 ` [33/44] net: Fix the condition passed to sk_wait_event() Greg KH
2010-12-08 0:04 ` [34/44] Limit sysctl_tcp_mem and sysctl_udp_mem initializers to prevent integer overflows Greg KH
2010-12-08 1:22 ` Linus Torvalds
2010-12-08 4:16 ` Greg KH
2010-12-08 5:50 ` Eric Dumazet
2010-12-08 16:25 ` David Miller
2010-12-08 23:13 ` Greg KH
2010-12-08 0:04 ` [35/44] tcp: Fix race in tcp_poll Greg KH
2010-12-08 0:04 ` [36/44] net: Truncate recvfrom and sendto length to INT_MAX Greg KH
2010-12-08 0:04 ` [37/44] ipv6: conntrack: Add member of user to nf_ct_frag6_queue structure Greg KH
2010-12-08 0:04 ` [38/44] x25: Patch to fix bug 15678 - x25 accesses fields beyond end of packet Greg KH
2010-12-08 0:04 ` [39/44] memory corruption in X.25 facilities parsing Greg KH
2010-12-08 0:04 ` [40/44] can-bcm: fix minor heap overflow Greg KH
2010-12-08 0:04 ` [41/44] V4L/DVB: ivtvfb: prevent reading uninitialized stack memory Greg KH
2010-12-08 0:04 ` Greg KH [this message]
2010-12-08 0:04 ` [43/44] econet: disallow NULL remote addr for sendmsg(), fixes CVE-2010-3849 Greg KH
2010-12-08 0:04 ` [44/44] econet: fix CVE-2010-3850 Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20101208000643.820922980@clark.site \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=davem@davemloft.net \
--cc=drosenberg@vsecurity.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable-review@kernel.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox