[cve-2010-4164] x25: Prevent crashing when parsing bad X.25 facilities

Steve Conklin sconklin at canonical.com
Tue Mar 8 15:46:22 UTC 2011


CVE-2010-4164:
Multiple integer underflows in the x25_parse_facilities function in
net/x25/x25_facilities.c in the Linux kernel before 2.6.36.2 allow remote
attackers to cause a denial of service (system crash) via malformed X.25
(1) X25_FAC_CLASS_A, (2) X25_FAC_CLASS_B, (3) X25_FAC_CLASS_C, or (4)
X25_FAC_CLASS_D facility data, a different vulnerability than
CVE-2010-3873.

This fix is already in the upstream commit listed below:

    commit 5ef41308f94dcbb3b7afc56cdef1c2ba53fa5d2f
    Author: Dan Rosenberg <drosenberg at vsecurity.com>
    Date:   Fri Nov 12 12:44:42 2010 -0800

	x25: Prevent crashing when parsing bad X.25 facilities

	Now with improved comma support.

	On parsing malformed X.25 facilities, decrementing the remaining length
	may cause it to underflow.  Since the length is an unsigned integer,
	this will result in the loop continuing until the kernel crashes.

	This patch adds checks to ensure decrementing the remaining length does
	not cause it to wrap around.

	Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
	Signed-off-by: David S. Miller <davem at davemloft.net>

This fix is already in Lucid, Maverick, and Natty
It applies cleanly to Hardy and Karmic
It applied with minor modifications to Dapper

Following this email are two patches, the one that applies to Hardy and Karmic, and the one for Dapper.






More information about the kernel-team mailing list