projects / linux-flexiantxendom0-natty.git / commit
summary | shortlog | log | commit | commitdiff | tree
(parent: b4b398f) | patch
ROSE: prevent heap corruption with bad facilities
authorDan Rosenberg <drosenberg@vsecurity.com>
Sat, 19 Mar 2011 20:43:43 +0000 (20:43 +0000)
committerBrad Figg <brad.figg@canonical.com>
Wed, 27 Apr 2011 18:40:55 +0000 (11:40 -0700)
commita0345bfefd08584cd72654f8d832611aed25a593
tree647ae6042affc04e76e17ce67e06d2741939c8d3tree | snapshot
parentb4b398f53ee90cf648aa0e74742d8b5892ca9a39commit | diff
ROSE: prevent heap corruption with bad facilities

BugLink: http://bugs.launchpad.net/bugs/761134

commit be20250c13f88375345ad99950190685eda51eb8 upstream.

When parsing the FAC_NATIONAL_DIGIS facilities field, it's possible for
a remote host to provide more digipeaters than expected, resulting in
heap corruption.  Check against ROSE_MAX_DIGIS to prevent overflows, and
abort facilities parsing on failure.

Additionally, when parsing the FAC_CCITT_DEST_NSAP and
FAC_CCITT_SRC_NSAP facilities fields, a remote host can provide a length
of less than 10, resulting in an underflow in a memcpy size, causing a
kernel panic due to massive heap corruption.  A length of greater than
20 results in a stack overflow of the callsign array.  Abort facilities
parsing on these invalid length values.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
net/rose/rose_subr.c diff | blob | history
Port of xen3.3 xenlinux code to Ubuntu Natty kernel