[PATCH v2] Prevent crashing when parsing bad X.25 facilities

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH v2] Prevent crashing when parsing bad X.25 facilities
@ 2010-11-12 14:07 Dan Rosenberg
  2010-11-12 20:29 ` David Miller
  0 siblings, 1 reply; 4+ messages in thread
From: Dan Rosenberg @ 2010-11-12 14:07 UTC (permalink / raw)
  To: andrew.hendry; +Cc: netdev

On parsing malformed X.25 facilities, decrementing the remaining length
may cause it to underflow.  Since the length is an unsigned integer,
this will result in the loop continuing until the kernel crashes.

This patch adds checks to ensure decrementing the remaining length does
not cause it to wrap around.

v2 prevents printing values outside the appropriate range.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
CC: stable <stable@kernel.org>
---
 net/x25/x25_facilities.c |   13 ++++++++++---
 1 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/net/x25/x25_facilities.c b/net/x25/x25_facilities.c
index 3a8c4c4..7f18e7d 100644
--- a/net/x25/x25_facilities.c
+++ b/net/x25/x25_facilities.c
@@ -61,6 +61,8 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
 	while (len > 0) {
 		switch (*p & X25_FAC_CLASS_MASK) {
 		case X25_FAC_CLASS_A:
+			if (len < 2)
+				return 0;
 			switch (*p) {
 			case X25_FAC_REVERSE:
 				if((p[1] & 0x81) == 0x81) {
@@ -104,6 +106,8 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
 			len -= 2;
 			break;
 		case X25_FAC_CLASS_B:
+			if (len < 3)
+				return 0;
 			switch (*p) {
 			case X25_FAC_PACKET_SIZE:
 				facilities->pacsize_in  = p[1];
@@ -125,6 +129,8 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
 			len -= 3;
 			break;
 		case X25_FAC_CLASS_C:
+			if (len < 4)
+				return 0;
 			printk(KERN_DEBUG "X.25: unknown facility %02X, "
 			       "values %02X, %02X, %02X\n",
 			       p[0], p[1], p[2], p[3]);
@@ -132,6 +138,8 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
 			len -= 4;
 			break;
 		case X25_FAC_CLASS_D:
+			if (len < p[1] + 2)
+				return 0;
 			switch (*p) {
 			case X25_FAC_CALLING_AE:
 				if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1)
@@ -149,9 +157,8 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
 				break;
 			default:
 				printk(KERN_DEBUG "X.25: unknown facility %02X,"
-					"length %d, values %02X, %02X, "
-					"%02X, %02X\n",
-					p[0], p[1], p[2], p[3], p[4], p[5]);
+					"length %d\n"
+					p[0], p[1]);
 				break;
 			}
 			len -= p[1] + 2;



^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH v2] Prevent crashing when parsing bad X.25 facilities
  2010-11-12 14:07 [PATCH v2] Prevent crashing when parsing bad X.25 facilities Dan Rosenberg
@ 2010-11-12 20:29 ` David Miller
  2010-11-12 20:44   ` Dan Rosenberg
  0 siblings, 1 reply; 4+ messages in thread
From: David Miller @ 2010-11-12 20:29 UTC (permalink / raw)
  To: drosenberg; +Cc: andrew.hendry, netdev

From: Dan Rosenberg <drosenberg@vsecurity.com>
Date: Fri, 12 Nov 2010 09:07:57 -0500

> @@ -149,9 +157,8 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
>  				break;
>  			default:
>  				printk(KERN_DEBUG "X.25: unknown facility %02X,"
> -					"length %d, values %02X, %02X, "
> -					"%02X, %02X\n",
> -					p[0], p[1], p[2], p[3], p[4], p[5]);
> +					"length %d\n"
> +					p[0], p[1]);
>  				break;

Thanks for not even compile testing your changes:

net/x25/x25_facilities.c: In function 'x25_parse_facilities':
net/x25/x25_facilities.c:161:6: error: expected ')' before 'p'
net/x25/x25_facilities.c:161:6: warning: too few arguments for format

I find this kind of carelessness extremely amusing coming from someone
who is so big on security theatre.


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH v2] Prevent crashing when parsing bad X.25 facilities
  2010-11-12 20:29 ` David Miller
@ 2010-11-12 20:44   ` Dan Rosenberg
  2010-11-12 20:50     ` David Miller
  0 siblings, 1 reply; 4+ messages in thread
From: Dan Rosenberg @ 2010-11-12 20:44 UTC (permalink / raw)
  To: David Miller; +Cc: andrew.hendry, netdev


> I find this kind of carelessness extremely amusing coming from someone
> who is so big on security theatre.

You know what I find amusing?  The sheer number of security issues a
single person can find in his spare time.  Congratulations on your
attention to detail.

-Dan


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH v2] Prevent crashing when parsing bad X.25 facilities
  2010-11-12 20:44   ` Dan Rosenberg
@ 2010-11-12 20:50     ` David Miller
  0 siblings, 0 replies; 4+ messages in thread
From: David Miller @ 2010-11-12 20:50 UTC (permalink / raw)
  To: drosenberg; +Cc: andrew.hendry, netdev

From: Dan Rosenberg <drosenberg@vsecurity.com>
Date: Fri, 12 Nov 2010 15:44:25 -0500

> 
>> I find this kind of carelessness extremely amusing coming from someone
>> who is so big on security theatre.
> 
> You know what I find amusing?  The sheer number of security issues a
> single person can find in his spare time.  Congratulations on your
> attention to detail.

I do not even agree that, for example, pointer exposure is a real
issue.  It still remains a matter of opinion.

And much of your claims and boasting is based upon that opinion.

So don't pass it off saliently or indirectly as fact.


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2010-11-12 20:50 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-11-12 14:07 [PATCH v2] Prevent crashing when parsing bad X.25 facilities Dan Rosenberg
2010-11-12 20:29 ` David Miller
2010-11-12 20:44   ` Dan Rosenberg
2010-11-12 20:50     ` David Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).