[PATCH DAPPER] x25: Prevent crashing when parsing bad X.25 facilities CVE-2010-4164

Tim Gardner tim.gardner at canonical.com
Tue Mar 8 16:21:46 UTC 2011


On 03/08/2011 03:46 PM, Steve Conklin wrote:
> BugLink: http://bugs.launchpad.net/bugs/731199
>
> CVE-2010-4164
>
> Now with improved comma support.
>
> On parsing malformed X.25 facilities, decrementing the remaining length
> may cause it to underflow.  Since the length is an unsigned integer,
> this will result in the loop continuing until the kernel crashes.
>
> This patch adds checks to ensure decrementing the remaining length does
> not cause it to wrap around.
>
> Signed-off-by: Dan Rosenberg<drosenberg at vsecurity.com>
> Signed-off-by: David S. Miller<davem at davemloft.net>
>      (based on upstream commit 5ef41308f94dcbb3b7afc56cdef1c2ba53fa5d2f)
> Signed-off-by: Steve Conklin<sconklin at canonical.com>
> ---
>   net/x25/x25_facilities.c |    8 ++++++++
>   1 files changed, 8 insertions(+), 0 deletions(-)
>
> diff --git a/net/x25/x25_facilities.c b/net/x25/x25_facilities.c
> index 54278b9..2af5e45 100644
> --- a/net/x25/x25_facilities.c
> +++ b/net/x25/x25_facilities.c
> @@ -43,6 +43,8 @@ int x25_parse_facilities(struct sk_buff *skb,
>   	while (len>  0) {
>   		switch (*p&  X25_FAC_CLASS_MASK) {
>   		case X25_FAC_CLASS_A:
> +			if (len<  2)
> +				return 0;
>   			switch (*p) {
>   			case X25_FAC_REVERSE:
>   				if((p[1]&  0x81) == 0x81) {
> @@ -84,6 +86,8 @@ int x25_parse_facilities(struct sk_buff *skb,
>   			len -= 2;
>   			break;
>   		case X25_FAC_CLASS_B:
> +			if (len<  3)
> +				return 0;
>   			switch (*p) {
>   			case X25_FAC_PACKET_SIZE:
>   				facilities->pacsize_in  = p[1];
> @@ -105,6 +109,8 @@ int x25_parse_facilities(struct sk_buff *skb,
>   			len -= 3;
>   			break;
>   		case X25_FAC_CLASS_C:
> +			if (len<  4)
> +				return 0;
>   			printk(KERN_DEBUG "X.25: unknown facility %02X, "
>   			       "values %02X, %02X, %02X\n",
>   			       p[0], p[1], p[2], p[3]);
> @@ -112,6 +118,8 @@ int x25_parse_facilities(struct sk_buff *skb,
>   			len -= 4;
>   			break;
>   		case X25_FAC_CLASS_D:
> +			if (len<  p[1] + 2)
> +				return 0;
>   			printk(KERN_DEBUG "X.25: unknown facility %02X, "
>   			       "length %d, values %02X, %02X, %02X, %02X\n",
>   			       p[0], p[1], p[2], p[3], p[4], p[5]);

Seems like you missed part of the upstream patch:

-					"length %d, values %02X, %02X, "
-					"%02X, %02X\n",
-					p[0], p[1], p[2], p[3], p[4], p[5]);
+					"length %d\n", p[0], p[1]);


-- 
Tim Gardner tim.gardner at canonical.com




More information about the kernel-team mailing list