lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Fri, 12 Nov 2010 10:24:01 +1100
From:	Andrew Hendry <andrew.hendry@...il.com>
To:	Dan Rosenberg <drosenberg@...curity.com>
Cc:	netdev@...r.kernel.org, security@...nel.org
Subject: Re: [SECURITY] [PATCH] Prevent crashing when parsing bad X.25 facilities

Tested ok, although I noticed the CLASS_D default: message tries to
print the facility type, length and 4 values, while it may only have 2
values. Just needs p[4] and p[5] taken out. Do you want me to spin a
secondary patch or do you want to put them together?

Acked-by: Andrew Hendry <andrew.hendry@...il.com>

On Fri, Nov 12, 2010 at 9:43 AM, Dan Rosenberg <drosenberg@...curity.com> wrote:
> Sorry I didn't catch this at the same time as my previous report so it
> could be included in one patch.
>
> On parsing malformed X.25 facilities, decrementing the remaining length
> may cause it to underflow.  Since the length is an unsigned integer,
> this will result in the loop continuing until the kernel crashes.
>
> This patch adds checks to ensure decrementing the remaining length does
> not cause it to wrap around.
>
> Signed-off-by: Dan Rosenberg <drosenberg@...curity.com>
> CC: stable <stable@...nel.org>
> ---
>  net/x25/x25_facilities.c |    8 ++++++++
>  1 files changed, 8 insertions(+), 0 deletions(-)
>
> diff --git a/net/x25/x25_facilities.c b/net/x25/x25_facilities.c
> index 3a8c4c4..bef8330 100644
> --- a/net/x25/x25_facilities.c
> +++ b/net/x25/x25_facilities.c
> @@ -61,6 +61,8 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
>        while (len > 0) {
>                switch (*p & X25_FAC_CLASS_MASK) {
>                case X25_FAC_CLASS_A:
> +                       if (len < 2)
> +                               return 0;
>                        switch (*p) {
>                        case X25_FAC_REVERSE:
>                                if((p[1] & 0x81) == 0x81) {
> @@ -104,6 +106,8 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
>                        len -= 2;
>                        break;
>                case X25_FAC_CLASS_B:
> +                       if (len < 3)
> +                               return 0;
>                        switch (*p) {
>                        case X25_FAC_PACKET_SIZE:
>                                facilities->pacsize_in  = p[1];
> @@ -125,6 +129,8 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
>                        len -= 3;
>                        break;
>                case X25_FAC_CLASS_C:
> +                       if (len < 4)
> +                               return 0;
>                        printk(KERN_DEBUG "X.25: unknown facility %02X, "
>                               "values %02X, %02X, %02X\n",
>                               p[0], p[1], p[2], p[3]);
> @@ -132,6 +138,8 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
>                        len -= 4;
>                        break;
>                case X25_FAC_CLASS_D:
> +                       if (len < p[1] + 2)
> +                               return 0;
>                        switch (*p) {
>                        case X25_FAC_CALLING_AE:
>                                if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1)
>
>
>
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists