From: Michael Krufky <mkrufky@linuxtv.org>
To: Greg KH <gregkh@suse.de>
Cc: linux-kernel@vger.kernel.org, stable@kernel.org,
Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
"Theodore Ts'o" <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
Chris Wedgwood <reviews@ml.cw.f00f.org>,
torvalds@osdl.org, akpm@osdl.org, alan@lxorguk.ukuu.org.uk,
Ang Way Chuang <wcang@nrg.cs.usm.my>,
v4l-dvb maintainer list <v4l-dvb-maintainer@linuxtv.org>
Subject: Re: [patch 29/37] dvb-core: Proper handling ULE SNDU length of 0
Date: Fri, 08 Sep 2006 08:58:49 -0400 [thread overview]
Message-ID: <45016909.4080908@linuxtv.org> (raw)
In-Reply-To: <20060906225740.GD15922@kroah.com>
Greg KH wrote:
> -stable review patch. If anyone has any objections, please let us know.
Greg,
Can we hold off on this until the 2.6.17.13 review cycle? This patch
has not been sent to the linux-dvb mailing list, it has not been
reviewed or tested except for the Author and Marcel.
Please also add me to the cc list for the stable patches review.
DVB maintainers,
Marcel expressed some concerns about this patch on LKML, see thread:
http://lkml.org/lkml/2006/9/6/314
He says that the code in our mercurial tree, and in 2.6.18-rcX does this
in a much nicer way, but that it involves some major changes. If this
patch seems acceptable, then we can apply it for 2.6.17.y, and the
larger, more appropriate change will be seen when 2.6.18 gets released.
I, myself, do not know enough about the internals of dvb_net ... but I
think that we should agree to this patch before it gets applied to -stable
Regards,
Mike Krufky
>
> ------------------
> From: Ang Way Chuang <wcang@nrg.cs.usm.my>
>
> ULE (Unidirectional Lightweight Encapsulation RFC 4326) decapsulation
> code has a bug that allows an attacker to send a malformed ULE packet
> with SNDU length of 0 and bring down the receiving machine. This patch
> fix the bug and has been tested on version 2.6.17.11. This bug is 100%
> reproducible and the modified source code (GPL) used to produce this bug
> will be posted on http://nrg.cs.usm.my/downloads.htm shortly. The
> kernel will produce a dump during CRC32 checking on faulty ULE packet.
>
>
> Signed-off-by: Ang Way Chuang <wcang@nrg.cs.usm.my>
> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
>
> ---
> drivers/media/dvb/dvb-core/dvb_net.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> --- linux-2.6.17.11.orig/drivers/media/dvb/dvb-core/dvb_net.c
> +++ linux-2.6.17.11/drivers/media/dvb/dvb-core/dvb_net.c
> @@ -492,7 +492,8 @@ static void dvb_net_ule( struct net_devi
> } else
> priv->ule_dbit = 0;
>
> - if (priv->ule_sndu_len > 32763) {
> + if (priv->ule_sndu_len > 32763 ||
> + priv->ule_sndu_len < ((priv->ule_dbit) ? 4 : 4 + ETH_ALEN)) {
> printk(KERN_WARNING "%lu: Invalid ULE SNDU length %u. "
> "Resyncing.\n", priv->ts_count, priv->ule_sndu_len);
> priv->ule_sndu_len = 0;
>
> --
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
next prev parent reply other threads:[~2006-09-08 12:59 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20060906224631.999046890@quad.kroah.org>
2006-09-06 22:54 ` [patch 00/37] -stable review Greg KH
2006-09-06 22:54 ` [patch 01/37] TEXTSEARCH: Fix Boyer Moore initialization bug Greg KH
2006-09-06 22:55 ` [patch 02/37] spectrum_cs: Fix firmware uploading errors Greg KH
2006-09-06 22:55 ` [patch 03/37] Fix output framentation of paged-skbs Greg KH
2006-09-06 22:55 ` [patch 04/37] fix compilation error on IA64 Greg KH
2006-09-07 8:45 ` Kirill Korotaev
2006-09-06 22:55 ` [patch 05/37] bridge-netfilter: dont overwrite memory outside of skb Greg KH
2006-09-06 22:55 ` [patch 06/37] Allow per-route window scale limiting Greg KH
2006-09-06 22:55 ` [patch 07/37] Have ext2 reject file handles with bad inode numbers early Greg KH
2006-09-06 22:55 ` [patch 08/37] dm snapshot: unify chunk_size Greg KH
2006-09-06 22:55 ` [patch 09/37] dm: fix idr minor allocation Greg KH
2006-09-06 22:55 ` [patch 10/37] dm: move idr_pre_get Greg KH
2006-09-06 22:55 ` [patch 11/37] dm: change minor_lock to spinlock Greg KH
2006-09-06 22:55 ` [patch 12/37] dm: add DMF_FREEING Greg KH
2006-09-06 22:56 ` [patch 13/37] dm: fix mapped device ref counting Greg KH
2006-09-06 22:56 ` [patch 14/37] dm: add module " Greg KH
2006-09-06 22:56 ` [patch 15/37] dm: fix block device initialisation Greg KH
2006-09-06 22:56 ` [patch 16/37] dm: mirror sector offset fix Greg KH
2006-09-06 22:56 ` [patch 17/37] TG3: Disable TSO by default Greg KH
2006-09-06 22:56 ` [patch 18/37] SPARC64: Fix X server crashes on sparc64 Greg KH
2006-09-06 22:56 ` [patch 19/37] SCTP: Fix sctp_primitive_ABORT() call in sctp_close() Greg KH
2006-09-06 22:56 ` [patch 20/37] IPV6 OOPSer triggerable by any user Greg KH
2006-09-06 22:56 ` [patch 21/37] fcntl(F_SETSIG) fix Greg KH
2006-09-06 22:57 ` [patch 22/37] bug in futex unqueue_me Greg KH
2006-09-06 22:57 ` [patch 23/37] binfmt_elf: fix checks for bad address Greg KH
2006-09-06 22:57 ` [patch 24/37] uhci-hcd: fix list access bug Greg KH
2006-09-06 22:57 ` [patch 25/37] Silent data corruption caused by XPC Greg KH
2006-09-06 22:57 ` [patch 26/37] PKTGEN: Make sure skb->{nh,h} are initialized in fill_packet_ipv6() too Greg KH
2006-09-06 22:57 ` [patch 27/37] PKTGEN: Fix oops when used with balance-tlb bonding Greg KH
2006-09-06 22:57 ` [patch 28/37] Missing PCI id update for VIA IDE Greg KH
2006-09-06 23:33 ` [-stable patch] pci_ids.h: add some VIA IDE identifiers Adrian Bunk
2006-09-06 22:57 ` [patch 29/37] dvb-core: Proper handling ULE SNDU length of 0 Greg KH
2006-09-07 12:57 ` Marcel Holtmann
2006-09-07 15:39 ` [stable] " Greg KH
2006-09-08 11:31 ` Marcel Holtmann
2006-09-08 12:58 ` Michael Krufky [this message]
2006-09-08 13:11 ` Ang Way Chuang
2006-09-08 17:29 ` Greg KH
2006-09-15 16:11 ` Michael Krufky
2006-09-15 16:15 ` Marcel Siegert
2006-09-15 16:36 ` Marcel Holtmann
2006-09-15 18:07 ` Michael Krufky
2006-09-15 18:18 ` Marcel Holtmann
2006-09-20 9:38 ` Ang Way Chuang
2006-09-06 22:57 ` [patch 30/37] Remove redundant up() in stop_machine() Greg KH
2006-09-06 22:57 ` [patch 31/37] dm: Fix deadlock under high i/o load in raid1 setup Greg KH
2006-09-06 22:57 ` [patch 32/37] sky2: accept flow control Greg KH
2006-09-06 22:57 ` [patch 33/37] sky2: clear status IRQ after empty Greg KH
2006-09-06 22:57 ` [patch 34/37] sky2: use dev_alloc_skb for receive buffers Greg KH
2006-09-06 22:58 ` [patch 35/37] sky2: MSI test timing Greg KH
2006-09-06 22:58 ` [patch 36/37] sky2: fix fiber support Greg KH
2006-09-06 22:58 ` [patch 37/37] sky2: version 1.6.1 Greg KH
2006-09-07 19:25 ` Pavel Machek
2006-09-07 20:34 ` Greg KH
2006-09-07 21:03 ` Pavel Machek
2006-09-07 21:50 ` Stephen Hemminger
2006-09-06 23:33 ` [patch 00/37] -stable review Adrian Bunk
2006-09-07 2:08 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=45016909.4080908@linuxtv.org \
--to=mkrufky@linuxtv.org \
--cc=akpm@osdl.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=chuckw@quantumlinux.com \
--cc=davej@redhat.com \
--cc=gregkh@suse.de \
--cc=jmforbes@linuxtx.org \
--cc=linux-kernel@vger.kernel.org \
--cc=rdunlap@xenotime.net \
--cc=reviews@ml.cw.f00f.org \
--cc=stable@kernel.org \
--cc=torvalds@osdl.org \
--cc=tytso@mit.edu \
--cc=v4l-dvb-maintainer@linuxtv.org \
--cc=wcang@nrg.cs.usm.my \
--cc=zwane@arm.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox