[cve-2010-4164] x25: Prevent crashing when parsing bad X.25 facilities
Steve Conklin
sconklin at canonical.com
Tue Mar 8 15:46:22 UTC 2011
CVE-2010-4164:
Multiple integer underflows in the x25_parse_facilities function in
net/x25/x25_facilities.c in the Linux kernel before 2.6.36.2 allow remote
attackers to cause a denial of service (system crash) via malformed X.25
(1) X25_FAC_CLASS_A, (2) X25_FAC_CLASS_B, (3) X25_FAC_CLASS_C, or (4)
X25_FAC_CLASS_D facility data, a different vulnerability than
CVE-2010-3873.
This fix is already in the upstream commit listed below:
commit 5ef41308f94dcbb3b7afc56cdef1c2ba53fa5d2f
Author: Dan Rosenberg <drosenberg at vsecurity.com>
Date: Fri Nov 12 12:44:42 2010 -0800
x25: Prevent crashing when parsing bad X.25 facilities
Now with improved comma support.
On parsing malformed X.25 facilities, decrementing the remaining length
may cause it to underflow. Since the length is an unsigned integer,
this will result in the loop continuing until the kernel crashes.
This patch adds checks to ensure decrementing the remaining length does
not cause it to wrap around.
Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
This fix is already in Lucid, Maverick, and Natty
It applies cleanly to Hardy and Karmic
It applied with minor modifications to Dapper
Following this email are two patches, the one that applies to Hardy and Karmic, and the one for Dapper.
More information about the kernel-team
mailing list