mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
synced 2025-01-26 02:25:00 -05:00
667121ace9
The IP-over-1394 driver firewire-net lacked input validation when
handling incoming fragmented datagrams. A maliciously formed fragment
with a respectively large datagram_offset would cause a memcpy past the
datagram buffer.
So, drop any packets carrying a fragment with offset + length larger
than datagram_size.
In addition, ensure that
- GASP header, unfragmented encapsulation header, or fragment
encapsulation header actually exists before we access it,
- the encapsulated datagram or fragment is of nonzero size.
Reported-by: Eyal Itkin <eyal.itkin@gmail.com>
Reviewed-by: Eyal Itkin <eyal.itkin@gmail.com>
Fixes: CVE 2016-8633
Cc: stable@vger.kernel.org
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
|
||
|---|---|---|
| .. | ||
| core-card.c | ||
| core-cdev.c | ||
| core-device.c | ||
| core-iso.c | ||
| core-topology.c | ||
| core-transaction.c | ||
| core.h | ||
| init_ohci1394_dma.c | ||
| Kconfig | ||
| Makefile | ||
| net.c | ||
| nosy-user.h | ||
| nosy.c | ||
| nosy.h | ||
| ohci.c | ||
| ohci.h | ||
| sbp2.c | ||