This is a note to let you know that I've just added the patch titled
x25: Prevent crashing when parsing bad X.25 facilities
to the 2.6.32-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
x25-prevent-crashing-when-parsing-bad-x.25-facilities.patch
and it can be found in the queue-2.6.32 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <[email protected]> know about it.
>From 5ef41308f94dcbb3b7afc56cdef1c2ba53fa5d2f Mon Sep 17 00:00:00 2001
From: Dan Rosenberg <[email protected]>
Date: Fri, 12 Nov 2010 12:44:42 -0800
Subject: x25: Prevent crashing when parsing bad X.25 facilities
From: Dan Rosenberg <[email protected]>
commit 5ef41308f94dcbb3b7afc56cdef1c2ba53fa5d2f upstream.
Now with improved comma support.
On parsing malformed X.25 facilities, decrementing the remaining length
may cause it to underflow. Since the length is an unsigned integer,
this will result in the loop continuing until the kernel crashes.
This patch adds checks to ensure decrementing the remaining length does
not cause it to wrap around.
Signed-off-by: Dan Rosenberg <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/x25/x25_facilities.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
--- a/net/x25/x25_facilities.c
+++ b/net/x25/x25_facilities.c
@@ -61,6 +61,8 @@ int x25_parse_facilities(struct sk_buff
while (len > 0) {
switch (*p & X25_FAC_CLASS_MASK) {
case X25_FAC_CLASS_A:
+ if (len < 2)
+ return 0;
switch (*p) {
case X25_FAC_REVERSE:
if((p[1] & 0x81) == 0x81) {
@@ -104,6 +106,8 @@ int x25_parse_facilities(struct sk_buff
len -= 2;
break;
case X25_FAC_CLASS_B:
+ if (len < 3)
+ return 0;
switch (*p) {
case X25_FAC_PACKET_SIZE:
facilities->pacsize_in = p[1];
@@ -125,6 +129,8 @@ int x25_parse_facilities(struct sk_buff
len -= 3;
break;
case X25_FAC_CLASS_C:
+ if (len < 4)
+ return 0;
printk(KERN_DEBUG "X.25: unknown facility %02X, "
"values %02X, %02X, %02X\n",
p[0], p[1], p[2], p[3]);
@@ -132,6 +138,8 @@ int x25_parse_facilities(struct sk_buff
len -= 4;
break;
case X25_FAC_CLASS_D:
+ if (len < p[1] + 2)
+ return 0;
switch (*p) {
case X25_FAC_CALLING_AE:
if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1)
@@ -149,9 +157,7 @@ int x25_parse_facilities(struct sk_buff
break;
default:
printk(KERN_DEBUG "X.25: unknown facility %02X,"
- "length %d, values %02X, %02X, "
- "%02X, %02X\n",
- p[0], p[1], p[2], p[3], p[4], p[5]);
+ "length %d\n", p[0], p[1]);
break;
}
len -= p[1] + 2;
Patches currently in stable-queue which might be from [email protected]
are
queue-2.6.32/can-bcm-fix-minor-heap-overflow.patch
queue-2.6.32/x25-prevent-crashing-when-parsing-bad-x.25-facilities.patch
queue-2.6.32/block-limit-vec-count-in-bio_kmalloc-and-bio_alloc_map_data.patch
queue-2.6.32/bio-take-care-not-overflow-page-count-when-mapping-copying-user-data.patch
queue-2.6.32/sys_semctl-fix-kernel-stack-leakage.patch
queue-2.6.32/block-check-for-proper-length-of-iov-entries-in-blk_rq_map_user_iov.patch
queue-2.6.32/v4l-dvb-ivtvfb-prevent-reading-uninitialized-stack-memory.patch
queue-2.6.32/ipc-initialize-structure-memory-to-zero-for-compat-functions.patch
queue-2.6.32/decnet-don-t-leak-uninitialized-stack-byte.patch
queue-2.6.32/block-take-care-not-to-overflow-when-calculating-total-iov-length.patch
_______________________________________________
stable mailing list
[email protected]
http://linux.kernel.org/mailman/listinfo/stable
