Eric Lee / linux-smarc-t335x-v3.2

Download as
Browse Code ยป

Commit 5ef41308f94dcbb3b7afc56cdef1c2ba53fa5d2f

Authored by Dan Rosenberg
Committed by David S. Miller
1 parent e68e6133e2
Exists in master and in 4 other branches v3.2_AM335xPSP_04.06.00.11, v3.2_NEWT335xPSP_04.06.00.11, v3.2_SBC_SMARTMEN, v3.2_SMARCT335xPSP_04.06.00.11

x25: Prevent crashing when parsing bad X.25 facilities 

Now with improved comma support.

On parsing malformed X.25 facilities, decrementing the remaining length
may cause it to underflow.  Since the length is an unsigned integer,
this will result in the loop continuing until the kernel crashes.

This patch adds checks to ensure decrementing the remaining length does
not cause it to wrap around.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

Showing 1 changed file with 9 additions and 3 deletions Side-by-side Diff

net/x25/x25_facilities.c
Diff comments   View file @ 5ef4130
... ... @@ -61,6 +61,8 @@
61 61 while (len > 0) {
62 62 switch (*p & X25_FAC_CLASS_MASK) {
63 63 case X25_FAC_CLASS_A:
  64 + if (len < 2)
  65 + return 0;
64 66 switch (*p) {
65 67 case X25_FAC_REVERSE:
66 68 if((p[1] & 0x81) == 0x81) {
... ... @@ -104,6 +106,8 @@
104 106 len -= 2;
105 107 break;
106 108 case X25_FAC_CLASS_B:
  109 + if (len < 3)
  110 + return 0;
107 111 switch (*p) {
108 112 case X25_FAC_PACKET_SIZE:
109 113 facilities->pacsize_in = p[1];
... ... @@ -125,6 +129,8 @@
125 129 len -= 3;
126 130 break;
127 131 case X25_FAC_CLASS_C:
  132 + if (len < 4)
  133 + return 0;
128 134 printk(KERN_DEBUG "X.25: unknown facility %02X, "
129 135 "values %02X, %02X, %02X\n",
130 136 p[0], p[1], p[2], p[3]);
... ... @@ -132,6 +138,8 @@
132 138 len -= 4;
133 139 break;
134 140 case X25_FAC_CLASS_D:
  141 + if (len < p[1] + 2)
  142 + return 0;
135 143 switch (*p) {
136 144 case X25_FAC_CALLING_AE:
137 145 if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1)
... ... @@ -149,9 +157,7 @@
149 157 break;
150 158 default:
151 159 printk(KERN_DEBUG "X.25: unknown facility %02X,"
152   - "length %d, values %02X, %02X, "
153   - "%02X, %02X\n",
154   - p[0], p[1], p[2], p[3], p[4], p[5]);
  160 + "length %d\n", p[0], p[1]);
155 161 break;
156 162 }
157 163 len -= p[1] + 2;