Dan Rosenberg 62fdb8668c ROSE: prevent heap corruption with bad facilities ...

commit be20250c13 upstream.

When parsing the FAC_NATIONAL_DIGIS facilities field, it's possible for
a remote host to provide more digipeaters than expected, resulting in
heap corruption.  Check against ROSE_MAX_DIGIS to prevent overflows, and
abort facilities parsing on failure.

Additionally, when parsing the FAC_CCITT_DEST_NSAP and
FAC_CCITT_SRC_NSAP facilities fields, a remote host can provide a length
of less than 10, resulting in an underflow in a memcpy size, causing a
kernel panic due to massive heap corruption.  A length of greater than
20 results in a stack overflow of the callsign array.  Abort facilities
parsing on these invalid length values.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

2011-04-14 16:53:27 -07:00

..

af_rose.c

rose: Fix signedness issues wrt. digi count.

2010-10-28 21:44:10 -07:00

Makefile

…

rose_dev.c

convert hamradio drivers to netdev_txreturnt_t

2009-09-01 01:13:12 -07:00

rose_in.c

[ROSE]: Supress sparse warnings

2008-01-28 15:02:44 -08:00

rose_link.c

ax25: netrom: rose: Fix timer oopses

2010-02-09 04:50:56 -08:00

rose_loopback.c

[ROSE]: Fix rose.ko oops on unload

2007-10-07 23:44:17 -07:00

rose_out.c

[PATCH] remove many unneeded #includes of sched.h

2007-02-14 08:09:54 -08:00

rose_route.c

ax25: netrom: rose: Fix timer oopses

2010-02-09 04:50:56 -08:00

rose_subr.c

ROSE: prevent heap corruption with bad facilities

2011-04-14 16:53:27 -07:00

rose_timer.c

…

sysctl_net_rose.c

net: '&' redux

2008-11-03 18:21:05 -08:00