[PATCH] x25: Prevent crashing when parsing bad X.25 facilities CVE-2010-4164
Tim Gardner
tim.gardner at canonical.com
Tue Mar 8 16:24:29 UTC 2011
On 03/08/2011 03:46 PM, Steve Conklin wrote:
> From: Dan Rosenberg<drosenberg at vsecurity.com>
>
> BugLink: http://bugs.launchpad.net/bugs/731199
>
> CVE-2010-4164
>
> Now with improved comma support.
>
> On parsing malformed X.25 facilities, decrementing the remaining length
> may cause it to underflow. Since the length is an unsigned integer,
> this will result in the loop continuing until the kernel crashes.
>
> This patch adds checks to ensure decrementing the remaining length does
> not cause it to wrap around.
>
> Signed-off-by: Dan Rosenberg<drosenberg at vsecurity.com>
> Signed-off-by: David S. Miller<davem at davemloft.net>
> (cherry picked from commit 5ef41308f94dcbb3b7afc56cdef1c2ba53fa5d2f)
> Signed-off-by: Steve Conklin<sconklin at canonical.com>
> ---
> net/x25/x25_facilities.c | 12 +++++++++---
> 1 files changed, 9 insertions(+), 3 deletions(-)
>
Acked-by: Tim Gardner <tim.gardner at canonical.com> for Hardy and Karmic
rtg
--
Tim Gardner tim.gardner at canonical.com
More information about the kernel-team
mailing list