From: Stefan Richter <stefanr@s5r6.in-berlin.de>
To: linux1394-devel@lists.sourceforge.net
Cc: linux-kernel@vger.kernel.org, Eyal Itkin <eyal.itkin@gmail.com>
Subject: [PATCH 0/3] firewire: net: IP-over-1394 link fragmentation fixes
Date: Wed, 2 Nov 2016 21:05:54 +0100 [thread overview]
Message-ID: <20161102210554.23b24d74@kant> (raw)
[-- Attachment #1: Type: text/plain, Size: 2142 bytes --]
The following patches
1/3 firewire: net: guard against rx buffer overflows
2/3 firewire: net: fix fragmented datagram_size off-by-one
3/3 firewire: net: max MTU off by one
fix a few long-standing bugs of the IP-over-1394 driver firewire-net
related to reception and transmission of fragmented datagrams:
- RX: Missing validation of fragment offset and size makes the driver
vulnerable to buffer overflows, potentially leading to remote¹ code
execution. Reported by Eyal Itkin.
¹) The vulnerability cannot be triggered by malformed IP datagrams,
but by malformed IEEE 1394 packets sent from other FireWire nodes to
the 1394 broadcast channel or to firewire-net's unicast FIFO, or can
be sent from the local node to the unicast FIFO by sufficiently
privileged userland. I.e. an attack can only originate from somewhere
on the FireWire bus, not from another network that is bridged to the
FireWire bus.
- RX: Missing validation of unfragmented and fragmented datagrams for
minimum packet size before looking at GASP header and encapsulation
header.
- RX and TX: The datagram_size field of fragmented datagrams was read
and written incorrectly; an offset of +/-1 needs to be applied. This
prevents fragmented traffic from/to nodes which run OS X, Windows XP,
or Linux' older eth1394 driver. (Traffic from Win XP would eventually
be retried with smaller MTU and possibly succeed slowly despite the
bug.)
Patch 1/3 is obviously urgent.
Patch 2/3 is a bit of a bother because while it fixes fragmented RX/TX with
OS X, Win XP, and eth1394, it does disrupt fragmented RX/TX with Linux
nodes which run an unfixed firewire-net.
Patch 3/3 will only apply in conjunction with changes that are queued up
in the net-next git tree, hence this patch will wait until net-next was
merged.
Patches 1+2/3 are already pushed out to linux1394.git "testing" and
"for-next" branches, but I still like to get review comments before I
send a pull request.
--
Stefan Richter
-======----- =-== ---=-
http://arcgraph.de/sr/
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 801 bytes --]
next reply other threads:[~2016-11-02 20:06 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-11-02 20:05 Stefan Richter [this message]
2016-11-02 20:07 ` [PATCH 1/3] firewire: net: guard against rx buffer overflows Stefan Richter
2016-11-02 20:08 ` [PATCH 2/3] firewire: net: fix fragmented datagram_size off-by-one Stefan Richter
2016-11-02 20:09 ` [PATCH 3/3] firewire: net: max MTU off by one Stefan Richter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161102210554.23b24d74@kant \
--to=stefanr@s5r6.in-berlin.de \
--cc=eyal.itkin@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux1394-devel@lists.sourceforge.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).