diff options
| author | Dan Rosenberg <drosenberg@vsecurity.com> | 2011-03-19 20:43:43 +0000 |
|---|---|---|
| committer | Andi Kleen <ak@linux.intel.com> | 2011-04-28 08:20:52 -0700 |
| commit | 18569f1467745ca8ebe929ecc43046ab71fd01a5 (patch) | |
| tree | 7980e98fb01b59e4aeda1e8f567cc241101bf8e1 /fs/ubifs/commit.c | |
| parent | b656c2b755012f488d2705d095db10854a2d803f (diff) | |
ROSE: prevent heap corruption with bad facilities
commit be20250c13f88375345ad99950190685eda51eb8 upstream.
When parsing the FAC_NATIONAL_DIGIS facilities field, it's possible for
a remote host to provide more digipeaters than expected, resulting in
heap corruption. Check against ROSE_MAX_DIGIS to prevent overflows, and
abort facilities parsing on failure.
Additionally, when parsing the FAC_CCITT_DEST_NSAP and
FAC_CCITT_SRC_NSAP facilities fields, a remote host can provide a length
of less than 10, resulting in an underflow in a memcpy size, causing a
kernel panic due to massive heap corruption. A length of greater than
20 results in a stack overflow of the callsign array. Abort facilities
parsing on these invalid length values.
Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Diffstat (limited to 'fs/ubifs/commit.c')
0 files changed, 0 insertions, 0 deletions