linux/net/rose
Dan Rosenberg be20250c13 ROSE: prevent heap corruption with bad facilities
When parsing the FAC_NATIONAL_DIGIS facilities field, it's possible for
a remote host to provide more digipeaters than expected, resulting in
heap corruption.  Check against ROSE_MAX_DIGIS to prevent overflows, and
abort facilities parsing on failure.

Additionally, when parsing the FAC_CCITT_DEST_NSAP and
FAC_CCITT_SRC_NSAP facilities fields, a remote host can provide a length
of less than 10, resulting in an underflow in a memcpy size, causing a
kernel panic due to massive heap corruption.  A length of greater than
20 results in a stack overflow of the callsign array.  Abort facilities
parsing on these invalid length values.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: stable@kernel.org
Signed-off-by: David S. Miller <davem@davemloft.net>
2011-03-27 17:59:03 -07:00
..
af_rose.c ROSE: AX25: finding routes simplification 2011-02-14 13:33:49 -08:00
Makefile Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
rose_dev.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
rose_in.c [ROSE]: Supress sparse warnings 2008-01-28 15:02:44 -08:00
rose_link.c net: return operator cleanup 2010-09-23 14:33:39 -07:00
rose_loopback.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
rose_out.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
rose_route.c ROSE: rose AX25 packet routing improvement 2011-02-14 13:31:09 -08:00
rose_subr.c ROSE: prevent heap corruption with bad facilities 2011-03-27 17:59:03 -07:00
rose_timer.c [ROSE]: rose_heartbeat_expiry() locking fix 2005-10-31 16:41:45 -02:00
sysctl_net_rose.c sysctl net: Remove unused binary sysctl code 2009-11-12 02:05:06 -08:00