diff options
author | Stefan Richter <stefanr@s5r6.in-berlin.de> | 2016-10-29 22:28:18 +0300 |
---|---|---|
committer | Stefan Richter <stefanr@s5r6.in-berlin.de> | 2016-11-03 16:46:39 +0300 |
commit | 667121ace9dbafb368618dbabcf07901c962ddac (patch) | |
tree | a73ac08b8ff287151a62bfadc8acf167a3837194 /drivers/idle | |
parent | 6449e31ddebdce68508cfaf0915d31aad3835f4f (diff) | |
download | linux-667121ace9dbafb368618dbabcf07901c962ddac.tar.xz |
firewire: net: guard against rx buffer overflows
The IP-over-1394 driver firewire-net lacked input validation when
handling incoming fragmented datagrams. A maliciously formed fragment
with a respectively large datagram_offset would cause a memcpy past the
datagram buffer.
So, drop any packets carrying a fragment with offset + length larger
than datagram_size.
In addition, ensure that
- GASP header, unfragmented encapsulation header, or fragment
encapsulation header actually exists before we access it,
- the encapsulated datagram or fragment is of nonzero size.
Reported-by: Eyal Itkin <eyal.itkin@gmail.com>
Reviewed-by: Eyal Itkin <eyal.itkin@gmail.com>
Fixes: CVE 2016-8633
Cc: stable@vger.kernel.org
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Diffstat (limited to 'drivers/idle')
0 files changed, 0 insertions, 0 deletions