** Description changed:
+ =======================================================
+ SRU Justification
+ Impact: data is discarded under certain conditions
+ Regression potential: the fix has been in Ubuntu releases since quantal
+ Test case: an exploit is at http://www.halfdog.net/Security/VdeNetBufferBug/
+ =======================================================
+
Binary package hint: vde2
The vde_plug (at least on ubuntu hardy) contains a bug, that is
triggered when a certain amount of encapsulated ether frame data
is sent to the plug in a specially timed manner. When the input
buffer is filled just with a single byte, vde_plug uses also the
first byte after the end of data, thus constructing an invalid
frame length. Depending on frame length, just one byte or the
complete buffer content is discarded, thus leading to lost single
byte or complete frame content. Code from vde_plug.c:
...
void splitpacket(const unsigned char *buf,int size,VDECONN *conn)
{
....
while (size > 0) {
rnx=(buf[0]<<8)+buf[1];
size-=2;
More info, testcases, see
http://www.halfdog.net/Security/VdeNetBufferBug/
Bug also reported upstream:
http://sourceforge.net/tracker/?func=detail&aid=3058721&group_id=95403&atid=611248
Affected version:
ii vde2 2.1.6+r154-1
Virtual Distributed Ethernet
System: Hardy 8.04
** Changed in: vde2 (Ubuntu Lucid)
Importance: Undecided => High
** Changed in: vde2 (Ubuntu Precise)
Importance: Undecided => High
** Changed in: vde2 (Ubuntu Lucid)
Status: New => Confirmed
** Changed in: vde2 (Ubuntu Precise)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/629439
Title:
Bug vde_plug input handling can cause ehter frame loss/corruption or
buffer overread by 1
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/vde2/+bug/629439/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
