[PATCH DAPPER] x25: Prevent crashing when parsing bad X.25 facilities CVE-2010-4164
Tim Gardner
tim.gardner at canonical.com
Tue Mar 8 16:21:46 UTC 2011
On 03/08/2011 03:46 PM, Steve Conklin wrote:
> BugLink: http://bugs.launchpad.net/bugs/731199
>
> CVE-2010-4164
>
> Now with improved comma support.
>
> On parsing malformed X.25 facilities, decrementing the remaining length
> may cause it to underflow. Since the length is an unsigned integer,
> this will result in the loop continuing until the kernel crashes.
>
> This patch adds checks to ensure decrementing the remaining length does
> not cause it to wrap around.
>
> Signed-off-by: Dan Rosenberg<drosenberg at vsecurity.com>
> Signed-off-by: David S. Miller<davem at davemloft.net>
> (based on upstream commit 5ef41308f94dcbb3b7afc56cdef1c2ba53fa5d2f)
> Signed-off-by: Steve Conklin<sconklin at canonical.com>
> ---
> net/x25/x25_facilities.c | 8 ++++++++
> 1 files changed, 8 insertions(+), 0 deletions(-)
>
> diff --git a/net/x25/x25_facilities.c b/net/x25/x25_facilities.c
> index 54278b9..2af5e45 100644
> --- a/net/x25/x25_facilities.c
> +++ b/net/x25/x25_facilities.c
> @@ -43,6 +43,8 @@ int x25_parse_facilities(struct sk_buff *skb,
> while (len> 0) {
> switch (*p& X25_FAC_CLASS_MASK) {
> case X25_FAC_CLASS_A:
> + if (len< 2)
> + return 0;
> switch (*p) {
> case X25_FAC_REVERSE:
> if((p[1]& 0x81) == 0x81) {
> @@ -84,6 +86,8 @@ int x25_parse_facilities(struct sk_buff *skb,
> len -= 2;
> break;
> case X25_FAC_CLASS_B:
> + if (len< 3)
> + return 0;
> switch (*p) {
> case X25_FAC_PACKET_SIZE:
> facilities->pacsize_in = p[1];
> @@ -105,6 +109,8 @@ int x25_parse_facilities(struct sk_buff *skb,
> len -= 3;
> break;
> case X25_FAC_CLASS_C:
> + if (len< 4)
> + return 0;
> printk(KERN_DEBUG "X.25: unknown facility %02X, "
> "values %02X, %02X, %02X\n",
> p[0], p[1], p[2], p[3]);
> @@ -112,6 +118,8 @@ int x25_parse_facilities(struct sk_buff *skb,
> len -= 4;
> break;
> case X25_FAC_CLASS_D:
> + if (len< p[1] + 2)
> + return 0;
> printk(KERN_DEBUG "X.25: unknown facility %02X, "
> "length %d, values %02X, %02X, %02X, %02X\n",
> p[0], p[1], p[2], p[3], p[4], p[5]);
Seems like you missed part of the upstream patch:
- "length %d, values %02X, %02X, "
- "%02X, %02X\n",
- p[0], p[1], p[2], p[3], p[4], p[5]);
+ "length %d\n", p[0], p[1]);
--
Tim Gardner tim.gardner at canonical.com
More information about the kernel-team
mailing list