iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/net
History
Dan Rosenberg be20250c13 ROSE: prevent heap corruption with bad facilities 
When parsing the FAC_NATIONAL_DIGIS facilities field, it's possible for
a remote host to provide more digipeaters than expected, resulting in
heap corruption.  Check against ROSE_MAX_DIGIS to prevent overflows, and
abort facilities parsing on failure.

Additionally, when parsing the FAC_CCITT_DEST_NSAP and
FAC_CCITT_SRC_NSAP facilities fields, a remote host can provide a length
of less than 10, resulting in an underflow in a memcpy size, causing a
kernel panic due to massive heap corruption.  A length of greater than
20 results in a stack overflow of the callsign array.  Abort facilities
parsing on these invalid length values.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: stable@kernel.org
Signed-off-by: David S. Miller <davem@davemloft.net>
2011-03-27 17:59:03 -07:00
..
9p
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6
2011-03-16 16:29:25 -07:00
802
net/802: add __rcu annotations
2010-10-25 13:09:44 -07:00
8021q
vlan: should take into account needed_headroom
2011-03-18 15:13:12 -07:00
appletalk
net/appletalk: fix atalk_release use after free
2011-03-21 18:18:00 -07:00
atm
ipv4: Create and use route lookup helpers.
2011-03-12 15:08:42 -08:00
ax25
net: ax25: fix information leak to userland harder
2011-01-12 00:34:49 -08:00
batman-adv
Merge branch 'batman-adv/next' of git://git.open-mesh.org/ecsv/linux-merge
2011-03-07 00:37:13 -08:00
bluetooth
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid
2011-03-18 10:35:30 -07:00
bridge
bridge: Fix possibly wrong MLD queries' ethernet source address
2011-03-22 19:26:42 -07:00
caif
Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6
2011-02-08 17:19:01 -08:00
can
can: test size of struct sockaddr in sendmsg
2011-01-15 20:56:42 -08:00
ceph
libceph: fix msgr standby handling
2011-03-04 12:25:05 -08:00
core
net: implement dev_disable_lro() hw_features compatibility
2011-03-22 01:00:26 -07:00
dcb
net: dcbnl: Update copyright dates
2011-03-14 17:02:42 -07:00
dccp
net: Put fl6_* macros to struct flowi6 and use them again.
2011-03-12 15:08:55 -08:00
decnet
decnet: Convert to use flowidn where applicable.
2011-03-12 15:08:55 -08:00
dns_resolver
DNS: Fix a NULL pointer deref when trying to read an error key [CVE-2011-1076]
2011-03-04 09:56:19 +11:00
dsa
dsa/mv88e6060: support nonzero mii base address
2011-03-08 14:24:20 -08:00
econet
econet: 4 byte infoleak to the network
2011-03-18 15:12:15 -07:00
ethernet
eth: fix new kernel-doc warning
2011-01-12 19:00:40 -08:00
ieee802154
net: RCU conversion of dev_getbyhwaddr() and arp_ioctl()
2010-12-08 10:07:24 -08:00
ipv4
ipv4: do not ignore route errors
2011-03-25 20:33:23 -07:00
ipv6
ipv6: ip6_route_output does not modify sk parameter, so make it const
2011-03-22 19:17:36 -07:00
ipx
ipx: fix ipx_release()
2011-03-21 18:16:39 -07:00
irda
irda: validate peer name and attribute lengths
2011-03-27 17:59:02 -07:00
iucv
[S390] irq: have detailed statistics for interrupt types
2011-01-05 12:47:25 +01:00
key
pfkey: fix warning
2011-03-01 22:51:52 -08:00
l2tp
l2tp: fix possible oops on l2tp_eth module unload
2011-03-21 18:10:25 -07:00
lapb
Net: lapb: Makefile: Remove deprecated kbuild goal definitions
2010-11-22 08:16:14 -08:00
llc
llc: avoid skb_clone() if there is only one handler
2011-02-28 12:28:50 -08:00
mac80211
mac80211: initialize sta->last_rx in sta_info_alloc
2011-03-21 15:19:50 -04:00
netfilter
IPVS: Use global mutex in ip_vs_app.c
2011-03-21 20:39:24 -07:00
netlabel
netlink: kill loginuid/sessionid/sid members from struct netlink_skb_parms
2011-03-03 10:55:40 -08:00
netlink
Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6
2011-03-03 21:27:42 -08:00
netrom
net: sk_sleep() helper
2010-04-20 16:37:13 -07:00
packet
af_packet: struct socket declared/assigned but unused
2011-03-07 15:51:13 -08:00
phonet
Phonet: fix aligned-mode pipe socket buffer header reserve
2011-03-15 14:55:49 -07:00
rds
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6
2011-03-16 16:29:25 -07:00
rfkill
kconfig: rename CONFIG_EMBEDDED to CONFIG_EXPERT
2011-01-20 17:02:05 -08:00
rose
ROSE: prevent heap corruption with bad facilities
2011-03-27 17:59:03 -07:00
rxrpc
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6
2011-03-16 16:29:25 -07:00
sched
ipv4: Remove flowi from struct rtable.
2011-03-04 21:55:31 -08:00
sctp
ipv6: Convert to use flowi6 where applicable.
2011-03-12 15:08:54 -08:00
sunrpc
Merge branch 'nfs-for-2.6.39' of git://git.linux-nfs.org/projects/trondmy/nfs-2.6
2011-03-17 17:40:00 -07:00
tipc
tipc: delete extra semicolon blocking node deletion
2011-03-14 12:21:12 -04:00
unix
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6
2011-03-16 16:29:25 -07:00
wanrouter
net: cleanup unused macros in net directory
2011-01-19 23:20:04 -08:00
wimax
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6
2010-05-20 21:04:44 -07:00
wireless
Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-next-2.6 into for-davem
2011-03-15 14:16:48 -04:00
x25
x25: remove the BKL
2011-03-05 10:55:45 +01:00
xfrm
dst: Clone child entry in skb_dst_pop
2011-03-27 17:55:01 -07:00
compat.c
net: Limit socket I/O iovec total length to INT_MAX.
2010-10-28 11:47:52 -07:00
Kconfig
net: RPS: Enable hardware acceleration of RFS
2011-01-24 14:53:01 -08:00
Makefile
net: Enter net/ipv6/ even if CONFIG_IPV6=n
2011-03-07 12:50:52 -08:00
nonet.c
llseek: automatically add .llseek fop
2010-10-15 15:53:27 +02:00
socket.c
ethtool: Compat handling for struct ethtool_rxnfc
2011-03-18 15:13:11 -07:00
sysctl_net.c
net: Remove unnecessary returns from void function()s
2010-05-17 23:23:14 -07:00
TUNABLE