summaryrefslogtreecommitdiff
path: root/net/rose/rose_route.c
diff options
context:
space:
mode:
authorDan Rosenberg <drosenberg@vsecurity.com>2011-03-19 23:43:43 +0300
committerDavid S. Miller <davem@davemloft.net>2011-03-28 04:59:03 +0400
commitbe20250c13f88375345ad99950190685eda51eb8 (patch)
tree71135bced4717604dff6e37d00f06f20870bbe1c /net/rose/rose_route.c
parentd370af0ef7951188daeb15bae75db7ba57c67846 (diff)
downloadlinux-be20250c13f88375345ad99950190685eda51eb8.tar.xz
ROSE: prevent heap corruption with bad facilities
When parsing the FAC_NATIONAL_DIGIS facilities field, it's possible for a remote host to provide more digipeaters than expected, resulting in heap corruption. Check against ROSE_MAX_DIGIS to prevent overflows, and abort facilities parsing on failure. Additionally, when parsing the FAC_CCITT_DEST_NSAP and FAC_CCITT_SRC_NSAP facilities fields, a remote host can provide a length of less than 10, resulting in an underflow in a memcpy size, causing a kernel panic due to massive heap corruption. A length of greater than 20 results in a stack overflow of the callsign array. Abort facilities parsing on these invalid length values. Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> Cc: stable@kernel.org Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/rose/rose_route.c')
0 files changed, 0 insertions, 0 deletions