| commit | 62fdb8668c631619251cff6d964556e0f67b8dcd | |
| author | Dan Rosenberg <drosenberg@vsecurity.com> | |
| Sat, 19 Mar 2011 20:43:43 +0000 (19 20:43 +0000) | ||
| committer | Greg Kroah-Hartman <gregkh@suse.de> | |
| Thu, 14 Apr 2011 23:53:27 +0000 (14 16:53 -0700) | ||
| tree | d867fbc83e20f4c8dde0d39a91c95cd1d0d81631 | treesnapshot (tar.gz zip) |
| parent | 356236ae3995899d03106bb02b0a5e2e91f29ccf | commitdiff |
ROSE: prevent heap corruption with bad facilities
commit be20250c13f88375345ad99950190685eda51eb8 upstream.
When parsing the FAC_NATIONAL_DIGIS facilities field, it's possible for
a remote host to provide more digipeaters than expected, resulting in
heap corruption. Check against ROSE_MAX_DIGIS to prevent overflows, and
abort facilities parsing on failure.
Additionally, when parsing the FAC_CCITT_DEST_NSAP and
FAC_CCITT_SRC_NSAP facilities fields, a remote host can provide a length
of less than 10, resulting in an underflow in a memcpy size, causing a
kernel panic due to massive heap corruption. A length of greater than
20 results in a stack overflow of the callsign array. Abort facilities
parsing on these invalid length values.
Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
commit be20250c13f88375345ad99950190685eda51eb8 upstream.
When parsing the FAC_NATIONAL_DIGIS facilities field, it's possible for
a remote host to provide more digipeaters than expected, resulting in
heap corruption. Check against ROSE_MAX_DIGIS to prevent overflows, and
abort facilities parsing on failure.
Additionally, when parsing the FAC_CCITT_DEST_NSAP and
FAC_CCITT_SRC_NSAP facilities fields, a remote host can provide a length
of less than 10, resulting in an underflow in a memcpy size, causing a
kernel panic due to massive heap corruption. A length of greater than
20 results in a stack overflow of the callsign array. Abort facilities
parsing on these invalid length values.
Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
| net/rose/rose_subr.c | diffblobblamehistory |