ACK: [maverick/ti-omap4 CVE 1/1] memory corruption in X.25 facilities parsing
Stefan Bader
stefan.bader at canonical.com
Tue Oct 4 11:39:41 UTC 2011
On 04.10.2011 12:58, Andy Whitcroft wrote:
> From: andrew hendry <andrew.hendry at gmail.com>
>
> Signed-of-by: Andrew Hendry <andrew.hendry at gmail.com>
>
> Signed-off-by: David S. Miller <davem at davemloft.net>
>
> (cherry picked from commit a6331d6f9a4298173b413cf99a40cc86a9d92c37)
> CVE-2010-3873
> Signed-off-by: Andy Whitcroft <apw at canonical.com>
> ---
> net/x25/x25_facilities.c | 8 ++++----
> net/x25/x25_in.c | 2 ++
> 2 files changed, 6 insertions(+), 4 deletions(-)
>
> diff --git a/net/x25/x25_facilities.c b/net/x25/x25_facilities.c
> index 8f15284..55187c8 100644
> --- a/net/x25/x25_facilities.c
> +++ b/net/x25/x25_facilities.c
> @@ -142,15 +142,15 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
> return 0;
> switch (*p) {
> case X25_FAC_CALLING_AE:
> - if (p[1] > X25_MAX_DTE_FACIL_LEN)
> - break;
> + if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1)
> + return 0;
> dte_facs->calling_len = p[2];
> memcpy(dte_facs->calling_ae, &p[3], p[1] - 1);
> *vc_fac_mask |= X25_MASK_CALLING_AE;
> break;
> case X25_FAC_CALLED_AE:
> - if (p[1] > X25_MAX_DTE_FACIL_LEN)
> - break;
> + if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1)
> + return 0;
> dte_facs->called_len = p[2];
> memcpy(dte_facs->called_ae, &p[3], p[1] - 1);
> *vc_fac_mask |= X25_MASK_CALLED_AE;
> diff --git a/net/x25/x25_in.c b/net/x25/x25_in.c
> index 6317896..f729f02 100644
> --- a/net/x25/x25_in.c
> +++ b/net/x25/x25_in.c
> @@ -119,6 +119,8 @@ static int x25_state1_machine(struct sock *sk, struct sk_buff *skb, int frametyp
> &x25->vc_facil_mask);
> if (len > 0)
> skb_pull(skb, len);
> + else
> + return -1;
> /*
> * Copy any Call User Data.
> */
Sometimes upstream is overly verbose... Anyways, clean pick, is in other
releases and simple.
Acked-by: Stefan Bader <smb at canonical.com>
More information about the kernel-team
mailing list