ROSE: prevent heap corruption with bad facilities - snowball/igloo-kernel.git

diff options

author	Dan Rosenberg <drosenberg@vsecurity.com>	2011-03-19 20:43:43 +0000
committer	Greg Kroah-Hartman <gregkh@suse.de>	2011-04-14 13:02:15 -0700
commit	1ffe8eb4c593f56a60880e3929be66ee15d3622c (patch)
tree	0822abaa92319d2cd15031a4a0a28c47b3ca5326 /include/xen
parent	f8e3c0bb58a569babfb8d72e7e0655686dbcbab1 (diff)

ROSE: prevent heap corruption with bad facilities

commit be20250c13f88375345ad99950190685eda51eb8 upstream. When parsing the FAC_NATIONAL_DIGIS facilities field, it's possible for a remote host to provide more digipeaters than expected, resulting in heap corruption. Check against ROSE_MAX_DIGIS to prevent overflows, and abort facilities parsing on failure. Additionally, when parsing the FAC_CCITT_DEST_NSAP and FAC_CCITT_SRC_NSAP facilities fields, a remote host can provide a length of less than 10, resulting in an underflow in a memcpy size, causing a kernel panic due to massive heap corruption. A length of greater than 20 results in a stack overflow of the callsign array. Abort facilities parsing on these invalid length values. Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

Diffstat (limited to 'include/xen')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: