github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-09 15:12:59 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
bf477829d0
linux/net/rose
History
Dan Rosenberg 62fdb8668c ROSE: prevent heap corruption with bad facilities 
commit be20250c13 upstream.

When parsing the FAC_NATIONAL_DIGIS facilities field, it's possible for
a remote host to provide more digipeaters than expected, resulting in
heap corruption.  Check against ROSE_MAX_DIGIS to prevent overflows, and
abort facilities parsing on failure.

Additionally, when parsing the FAC_CCITT_DEST_NSAP and
FAC_CCITT_SRC_NSAP facilities fields, a remote host can provide a length
of less than 10, resulting in an underflow in a memcpy size, causing a
kernel panic due to massive heap corruption.  A length of greater than
20 results in a stack overflow of the callsign array.  Abort facilities
parsing on these invalid length values.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2011-04-14 16:53:27 -07:00
..
af_rose.c rose: Fix signedness issues wrt. digi count. 2010-10-28 21:44:10 -07:00
Makefile
rose_dev.c convert hamradio drivers to netdev_txreturnt_t 2009-09-01 01:13:12 -07:00
rose_in.c [ROSE]: Supress sparse warnings 2008-01-28 15:02:44 -08:00
rose_link.c ax25: netrom: rose: Fix timer oopses 2010-02-09 04:50:56 -08:00
rose_loopback.c [ROSE]: Fix rose.ko oops on unload 2007-10-07 23:44:17 -07:00
rose_out.c
rose_route.c ax25: netrom: rose: Fix timer oopses 2010-02-09 04:50:56 -08:00
rose_subr.c ROSE: prevent heap corruption with bad facilities 2011-04-14 16:53:27 -07:00
rose_timer.c
sysctl_net_rose.c net: '&' redux 2008-11-03 18:21:05 -08:00