Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-5.4 / be20250c13f88375345ad99950190685eda51eb8
commitbe20250c13f88375345ad99950190685eda51eb8[log] [tgz]
authorDan Rosenberg <drosenberg@vsecurity.com>Sat Mar 19 20:43:43 2011 +0000
committerDavid S. Miller <davem@davemloft.net>Sun Mar 27 17:59:03 2011 -0700
tree71135bced4717604dff6e37d00f06f20870bbe1c
parentd370af0ef7951188daeb15bae75db7ba57c67846 [diff]
ROSE: prevent heap corruption with bad facilities

When parsing the FAC_NATIONAL_DIGIS facilities field, it's possible for
a remote host to provide more digipeaters than expected, resulting in
heap corruption.  Check against ROSE_MAX_DIGIS to prevent overflows, and
abort facilities parsing on failure.

Additionally, when parsing the FAC_CCITT_DEST_NSAP and
FAC_CCITT_SRC_NSAP facilities fields, a remote host can provide a length
of less than 10, resulting in an underflow in a memcpy size, causing a
kernel panic due to massive heap corruption.  A length of greater than
20 results in a stack overflow of the callsign array.  Abort facilities
parsing on these invalid length values.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: stable@kernel.org
Signed-off-by: David S. Miller <davem@davemloft.net>
1 file changed
tree: 71135bced4717604dff6e37d00f06f20870bbe1c
  1. arch/
  2. block/
  3. crypto/
  4. Documentation/
  5. drivers/
  6. firmware/
  7. fs/
  8. include/
  9. init/
  10. ipc/
  11. kernel/
  12. lib/
  13. mm/
  14. net/
  15. samples/
  16. scripts/
  17. security/
  18. sound/
  19. tools/
  20. usr/
  21. virt/
  22. .gitignore
  23. .mailmap
  24. COPYING
  25. CREDITS
  26. Kbuild
  27. Kconfig
  28. MAINTAINERS
  29. Makefile
  30. README
  31. REPORTING-BUGS