WSL2-Linux-Kernel/net
Dan Rosenberg be20250c13 ROSE: prevent heap corruption with bad facilities
When parsing the FAC_NATIONAL_DIGIS facilities field, it's possible for
a remote host to provide more digipeaters than expected, resulting in
heap corruption.  Check against ROSE_MAX_DIGIS to prevent overflows, and
abort facilities parsing on failure.

Additionally, when parsing the FAC_CCITT_DEST_NSAP and
FAC_CCITT_SRC_NSAP facilities fields, a remote host can provide a length
of less than 10, resulting in an underflow in a memcpy size, causing a
kernel panic due to massive heap corruption.  A length of greater than
20 results in a stack overflow of the callsign array.  Abort facilities
parsing on these invalid length values.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: stable@kernel.org
Signed-off-by: David S. Miller <davem@davemloft.net>
2011-03-27 17:59:03 -07:00
..
9p Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6 2011-03-16 16:29:25 -07:00
802 net/802: add __rcu annotations 2010-10-25 13:09:44 -07:00
8021q vlan: should take into account needed_headroom 2011-03-18 15:13:12 -07:00
appletalk net/appletalk: fix atalk_release use after free 2011-03-21 18:18:00 -07:00
atm ipv4: Create and use route lookup helpers. 2011-03-12 15:08:42 -08:00
ax25 net: ax25: fix information leak to userland harder 2011-01-12 00:34:49 -08:00
batman-adv Merge branch 'batman-adv/next' of git://git.open-mesh.org/ecsv/linux-merge 2011-03-07 00:37:13 -08:00
bluetooth Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid 2011-03-18 10:35:30 -07:00
bridge bridge: Fix possibly wrong MLD queries' ethernet source address 2011-03-22 19:26:42 -07:00
caif Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2011-02-08 17:19:01 -08:00
can can: test size of struct sockaddr in sendmsg 2011-01-15 20:56:42 -08:00
ceph libceph: fix msgr standby handling 2011-03-04 12:25:05 -08:00
core net: implement dev_disable_lro() hw_features compatibility 2011-03-22 01:00:26 -07:00
dcb net: dcbnl: Update copyright dates 2011-03-14 17:02:42 -07:00
dccp net: Put fl6_* macros to struct flowi6 and use them again. 2011-03-12 15:08:55 -08:00
decnet decnet: Convert to use flowidn where applicable. 2011-03-12 15:08:55 -08:00
dns_resolver DNS: Fix a NULL pointer deref when trying to read an error key [CVE-2011-1076] 2011-03-04 09:56:19 +11:00
dsa dsa/mv88e6060: support nonzero mii base address 2011-03-08 14:24:20 -08:00
econet econet: 4 byte infoleak to the network 2011-03-18 15:12:15 -07:00
ethernet eth: fix new kernel-doc warning 2011-01-12 19:00:40 -08:00
ieee802154 net: RCU conversion of dev_getbyhwaddr() and arp_ioctl() 2010-12-08 10:07:24 -08:00
ipv4 ipv4: do not ignore route errors 2011-03-25 20:33:23 -07:00
ipv6 ipv6: ip6_route_output does not modify sk parameter, so make it const 2011-03-22 19:17:36 -07:00
ipx ipx: fix ipx_release() 2011-03-21 18:16:39 -07:00
irda irda: validate peer name and attribute lengths 2011-03-27 17:59:02 -07:00
iucv [S390] irq: have detailed statistics for interrupt types 2011-01-05 12:47:25 +01:00
key pfkey: fix warning 2011-03-01 22:51:52 -08:00
l2tp l2tp: fix possible oops on l2tp_eth module unload 2011-03-21 18:10:25 -07:00
lapb Net: lapb: Makefile: Remove deprecated kbuild goal definitions 2010-11-22 08:16:14 -08:00
llc llc: avoid skb_clone() if there is only one handler 2011-02-28 12:28:50 -08:00
mac80211 mac80211: initialize sta->last_rx in sta_info_alloc 2011-03-21 15:19:50 -04:00
netfilter IPVS: Use global mutex in ip_vs_app.c 2011-03-21 20:39:24 -07:00
netlabel netlink: kill loginuid/sessionid/sid members from struct netlink_skb_parms 2011-03-03 10:55:40 -08:00
netlink Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2011-03-03 21:27:42 -08:00
netrom net: sk_sleep() helper 2010-04-20 16:37:13 -07:00
packet af_packet: struct socket declared/assigned but unused 2011-03-07 15:51:13 -08:00
phonet Phonet: fix aligned-mode pipe socket buffer header reserve 2011-03-15 14:55:49 -07:00
rds Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6 2011-03-16 16:29:25 -07:00
rfkill kconfig: rename CONFIG_EMBEDDED to CONFIG_EXPERT 2011-01-20 17:02:05 -08:00
rose ROSE: prevent heap corruption with bad facilities 2011-03-27 17:59:03 -07:00
rxrpc Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6 2011-03-16 16:29:25 -07:00
sched ipv4: Remove flowi from struct rtable. 2011-03-04 21:55:31 -08:00
sctp ipv6: Convert to use flowi6 where applicable. 2011-03-12 15:08:54 -08:00
sunrpc Merge branch 'nfs-for-2.6.39' of git://git.linux-nfs.org/projects/trondmy/nfs-2.6 2011-03-17 17:40:00 -07:00
tipc tipc: delete extra semicolon blocking node deletion 2011-03-14 12:21:12 -04:00
unix Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6 2011-03-16 16:29:25 -07:00
wanrouter net: cleanup unused macros in net directory 2011-01-19 23:20:04 -08:00
wimax Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6 2010-05-20 21:04:44 -07:00
wireless Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-next-2.6 into for-davem 2011-03-15 14:16:48 -04:00
x25 x25: remove the BKL 2011-03-05 10:55:45 +01:00
xfrm dst: Clone child entry in skb_dst_pop 2011-03-27 17:55:01 -07:00
Kconfig net: RPS: Enable hardware acceleration of RFS 2011-01-24 14:53:01 -08:00
Makefile net: Enter net/ipv6/ even if CONFIG_IPV6=n 2011-03-07 12:50:52 -08:00
TUNABLE
compat.c net: Limit socket I/O iovec total length to INT_MAX. 2010-10-28 11:47:52 -07:00
nonet.c llseek: automatically add .llseek fop 2010-10-15 15:53:27 +02:00
socket.c ethtool: Compat handling for struct ethtool_rxnfc 2011-03-18 15:13:11 -07:00
sysctl_net.c net: Remove unnecessary returns from void function()s 2010-05-17 23:23:14 -07:00