From: Chris Wright Date: Fri, 6 Jun 2008 23:31:09 +0000 (-0700) Subject: Linux 2.6.25.5 X-Git-Tag: v2.6.25.5 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=26c4282207b912f75c89258ea4681f0f213b2ddc;p=thirdparty%2Fkernel%2Fstable-queue.git Linux 2.6.25.5 --- diff --git a/releases/2.6.25.5/asn1-additional-sanity-checking-during-ber-decoding.patch b/releases/2.6.25.5/asn1-additional-sanity-checking-during-ber-decoding.patch new file mode 100644 index 00000000000..14f6740247f --- /dev/null +++ b/releases/2.6.25.5/asn1-additional-sanity-checking-during-ber-decoding.patch @@ -0,0 +1,104 @@ +From ddb2c43594f22843e9f3153da151deaba1a834c5 Mon Sep 17 00:00:00 2001 +From: Chris Wright +Date: Wed, 4 Jun 2008 09:16:33 -0700 +Subject: asn1: additional sanity checking during BER decoding (CVE-2008-1673) + +From: Chris Wright + +upstream commit: ddb2c43594f22843e9f3153da151deaba1a834c5 + +- Don't trust a length which is greater than the working buffer. + An invalid length could cause overflow when calculating buffer size + for decoding oid. + +- An oid length of zero is invalid and allows for an off-by-one error when + decoding oid because the first subid actually encodes first 2 subids. + +- A primitive encoding may not have an indefinite length. + +Thanks to Wei Wang from McAfee for report. + +Cc: Steven French +Cc: stable@kernel.org +Acked-by: Patrick McHardy +Signed-off-by: Chris Wright +Signed-off-by: Linus Torvalds +--- + fs/cifs/asn1.c | 14 ++++++++++++++ + net/ipv4/netfilter/nf_nat_snmp_basic.c | 14 ++++++++++++++ + 2 files changed, 28 insertions(+) + +--- a/fs/cifs/asn1.c ++++ b/fs/cifs/asn1.c +@@ -186,6 +186,11 @@ asn1_length_decode(struct asn1_ctx *ctx, + } + } + } ++ ++ /* don't trust len bigger than ctx buffer */ ++ if (*len > ctx->end - ctx->pointer) ++ return 0; ++ + return 1; + } + +@@ -203,6 +208,10 @@ asn1_header_decode(struct asn1_ctx *ctx, + if (!asn1_length_decode(ctx, &def, &len)) + return 0; + ++ /* primitive shall be definite, indefinite shall be constructed */ ++ if (*con == ASN1_PRI && !def) ++ return 0; ++ + if (def) + *eoc = ctx->pointer + len; + else +@@ -389,6 +398,11 @@ asn1_oid_decode(struct asn1_ctx *ctx, + unsigned long *optr; + + size = eoc - ctx->pointer + 1; ++ ++ /* first subid actually encodes first two subids */ ++ if (size < 2 || size > ULONG_MAX/sizeof(unsigned long)) ++ return 0; ++ + *oid = kmalloc(size * sizeof(unsigned long), GFP_ATOMIC); + if (*oid == NULL) + return 0; +--- a/net/ipv4/netfilter/nf_nat_snmp_basic.c ++++ b/net/ipv4/netfilter/nf_nat_snmp_basic.c +@@ -231,6 +231,11 @@ static unsigned char asn1_length_decode( + } + } + } ++ ++ /* don't trust len bigger than ctx buffer */ ++ if (*len > ctx->end - ctx->pointer) ++ return 0; ++ + return 1; + } + +@@ -249,6 +254,10 @@ static unsigned char asn1_header_decode( + if (!asn1_length_decode(ctx, &def, &len)) + return 0; + ++ /* primitive shall be definite, indefinite shall be constructed */ ++ if (*con == ASN1_PRI && !def) ++ return 0; ++ + if (def) + *eoc = ctx->pointer + len; + else +@@ -433,6 +442,11 @@ static unsigned char asn1_oid_decode(str + unsigned long *optr; + + size = eoc - ctx->pointer + 1; ++ ++ /* first subid actually encodes first two subids */ ++ if (size < 2 || size > ULONG_MAX/sizeof(unsigned long)) ++ return 0; ++ + *oid = kmalloc(size * sizeof(unsigned long), GFP_ATOMIC); + if (*oid == NULL) { + if (net_ratelimit()) diff --git a/releases/2.6.25.5/series b/releases/2.6.25.5/series new file mode 100644 index 00000000000..05e70446479 --- /dev/null +++ b/releases/2.6.25.5/series @@ -0,0 +1 @@ +asn1-additional-sanity-checking-during-ber-decoding.patch