]>
Commit | Line | Data |
---|---|---|
bcd4f083 GKH |
1 | From 5ef41308f94dcbb3b7afc56cdef1c2ba53fa5d2f Mon Sep 17 00:00:00 2001 |
2 | From: Dan Rosenberg <drosenberg@vsecurity.com> | |
3 | Date: Fri, 12 Nov 2010 12:44:42 -0800 | |
4 | Subject: x25: Prevent crashing when parsing bad X.25 facilities | |
5 | ||
6 | From: Dan Rosenberg <drosenberg@vsecurity.com> | |
7 | ||
8 | commit 5ef41308f94dcbb3b7afc56cdef1c2ba53fa5d2f upstream. | |
9 | ||
10 | Now with improved comma support. | |
11 | ||
12 | On parsing malformed X.25 facilities, decrementing the remaining length | |
13 | may cause it to underflow. Since the length is an unsigned integer, | |
14 | this will result in the loop continuing until the kernel crashes. | |
15 | ||
16 | This patch adds checks to ensure decrementing the remaining length does | |
17 | not cause it to wrap around. | |
18 | ||
19 | Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> | |
20 | Signed-off-by: David S. Miller <davem@davemloft.net> | |
21 | Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> | |
22 | ||
23 | --- | |
24 | net/x25/x25_facilities.c | 12 +++++++++--- | |
25 | 1 file changed, 9 insertions(+), 3 deletions(-) | |
26 | ||
27 | --- a/net/x25/x25_facilities.c | |
28 | +++ b/net/x25/x25_facilities.c | |
29 | @@ -61,6 +61,8 @@ int x25_parse_facilities(struct sk_buff | |
30 | while (len > 0) { | |
31 | switch (*p & X25_FAC_CLASS_MASK) { | |
32 | case X25_FAC_CLASS_A: | |
33 | + if (len < 2) | |
34 | + return 0; | |
35 | switch (*p) { | |
36 | case X25_FAC_REVERSE: | |
37 | if((p[1] & 0x81) == 0x81) { | |
38 | @@ -104,6 +106,8 @@ int x25_parse_facilities(struct sk_buff | |
39 | len -= 2; | |
40 | break; | |
41 | case X25_FAC_CLASS_B: | |
42 | + if (len < 3) | |
43 | + return 0; | |
44 | switch (*p) { | |
45 | case X25_FAC_PACKET_SIZE: | |
46 | facilities->pacsize_in = p[1]; | |
47 | @@ -125,6 +129,8 @@ int x25_parse_facilities(struct sk_buff | |
48 | len -= 3; | |
49 | break; | |
50 | case X25_FAC_CLASS_C: | |
51 | + if (len < 4) | |
52 | + return 0; | |
53 | printk(KERN_DEBUG "X.25: unknown facility %02X, " | |
54 | "values %02X, %02X, %02X\n", | |
55 | p[0], p[1], p[2], p[3]); | |
56 | @@ -132,6 +138,8 @@ int x25_parse_facilities(struct sk_buff | |
57 | len -= 4; | |
58 | break; | |
59 | case X25_FAC_CLASS_D: | |
60 | + if (len < p[1] + 2) | |
61 | + return 0; | |
62 | switch (*p) { | |
63 | case X25_FAC_CALLING_AE: | |
64 | if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1) | |
65 | @@ -149,9 +157,7 @@ int x25_parse_facilities(struct sk_buff | |
66 | break; | |
67 | default: | |
68 | printk(KERN_DEBUG "X.25: unknown facility %02X," | |
69 | - "length %d, values %02X, %02X, " | |
70 | - "%02X, %02X\n", | |
71 | - p[0], p[1], p[2], p[3], p[4], p[5]); | |
72 | + "length %d\n", p[0], p[1]); | |
73 | break; | |
74 | } | |
75 | len -= p[1] + 2; |