[SECURITY] memory corruption in X.25 facilities parsing

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I put this together after a quick glance, so if someone knows this code
better than I do (i.e. at all), feel free to comment or drop this patch
if it's unnecessary.

A value of 0 will cause a memcpy() of ULONG_MAX size, destroying the
kernel heap.

Signed-off-by: Dan Rosenberg <drosenberg@xxxxxxxxxxxxx>

--- linux-2.6.36-rc6.orig/net/x25/x25_facilities.c	2010-09-28 21:01:22.000000000 -0400
+++ linux-2.6.36-rc6/net/x25/x25_facilities.c	2010-11-02 10:36:02.827291324 -0400
@@ -134,14 +134,14 @@ int x25_parse_facilities(struct sk_buff 
 		case X25_FAC_CLASS_D:
 			switch (*p) {
 			case X25_FAC_CALLING_AE:
-				if (p[1] > X25_MAX_DTE_FACIL_LEN)
+				if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] == 0)
 					break;
 				dte_facs->calling_len = p[2];
 				memcpy(dte_facs->calling_ae, &p[3], p[1] - 1);
 				*vc_fac_mask |= X25_MASK_CALLING_AE;
 				break;
 			case X25_FAC_CALLED_AE:
-				if (p[1] > X25_MAX_DTE_FACIL_LEN)
+				if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] == 0)
 					break;
 				dte_facs->called_len = p[2];
 				memcpy(dte_facs->called_ae, &p[3], p[1] - 1);


--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Kernel Discussion]     [TCP Instrumentation]     [Ethernet Bridging]     [Linux Wireless Networking]     [Linux WPAN Networking]     [Linux Host AP]     [Linux WPAN Networking]     [Linux Bluetooth Networking]     [Linux ATH6KL Networking]     [Linux Networking Users]     [Linux Coverity]     [VLAN]     [Git]     [IETF Annouce]     [Linux Assembly]     [Security]     [Bugtraq]     [Yosemite Information]     [MIPS Linux]     [ARM Linux Kernel]     [ARM Linux]     [Linux Virtualization]     [Linux IDE]     [Linux RAID]     [Linux SCSI]