From: Dan Rosenberg <drosenberg@vsecurity.com>
To: ralf@linux-mips.org, davem@davemloft.net
Cc: netdev@vger.kernel.org, security@kernel.org
Subject: [PATCH] ROSE: prevent heap corruption with bad facilities
Date: Sat, 19 Mar 2011 19:28:33 -0400 [thread overview]
Message-ID: <1300577313.12507.17.camel@dan> (raw)
When parsing the FAC_NATIONAL_DIGIS facilities field, keeping the
counter field in an unsigned char is insufficient, since the counter is
incremented by AX25_ADDR_LEN (7) with each loop. Providing a field
length of 0xf, for example, causes heap corruption because the counter
wraps without ever reaching the length and data is copied past the
boundaries of the source_digis or dest_digis facilities arrays. Change
the counter to an unsigned ints to prevent this wrapping and overflow.
Additionally, when parsing the FAC_CCITT_DEST_NSAP and
FAC_CCITT_SRC_NSAP facilities fields, a length of less than 10 results
in an underflow in a memcpy size, resulting in a kernel panic due to
massive heap corruption. Abort facilities parsing on this invalid
length value.
Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: stable@kernel.org
---
net/rose/rose_subr.c | 12 +++++++++++-
1 files changed, 11 insertions(+), 1 deletions(-)
diff --git a/net/rose/rose_subr.c b/net/rose/rose_subr.c
index 1734abb..fee9de4 100644
--- a/net/rose/rose_subr.c
+++ b/net/rose/rose_subr.c
@@ -240,7 +240,8 @@ int rose_decode(struct sk_buff *skb, int *ns, int *nr, int *q, int *d, int *m)
static int rose_parse_national(unsigned char *p, struct rose_facilities_struct *facilities, int len)
{
unsigned char *pt;
- unsigned char l, lg, n = 0;
+ unsigned char l, n = 0;
+ unsigned int lg;
int fac_national_digis_received = 0;
do {
@@ -334,12 +335,16 @@ static int rose_parse_ccitt(unsigned char *p, struct rose_facilities_struct *fac
case 0xC0:
l = p[1];
if (*p == FAC_CCITT_DEST_NSAP) {
+ if (l < 10)
+ return -1;
memcpy(&facilities->source_addr, p + 7, ROSE_ADDR_LEN);
memcpy(callsign, p + 12, l - 10);
callsign[l - 10] = '\0';
asc2ax(&facilities->source_call, callsign);
}
if (*p == FAC_CCITT_SRC_NSAP) {
+ if (l < 10)
+ return -1;
memcpy(&facilities->dest_addr, p + 7, ROSE_ADDR_LEN);
memcpy(callsign, p + 12, l - 10);
callsign[l - 10] = '\0';
@@ -379,6 +384,11 @@ int rose_parse_facilities(unsigned char *p,
case FAC_CCITT: /* CCITT */
len = rose_parse_ccitt(p + 1, facilities, facilities_len - 1);
+
+ /* Invalid facilities */
+ if (len < 0)
+ return 0;
+
facilities_len -= len + 1;
p += len + 1;
break;
next reply other threads:[~2011-03-19 23:35 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-03-19 23:28 Dan Rosenberg [this message]
2011-03-20 6:03 ` [PATCH] ROSE: prevent heap corruption with bad facilities Dan Rosenberg
2011-03-20 6:07 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1300577313.12507.17.camel@dan \
--to=drosenberg@vsecurity.com \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=ralf@linux-mips.org \
--cc=security@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).