git.baikalelectronics.ru Git - kernel.git/commit

author	Stefan Richter <stefanr@s5r6.in-berlin.de>
	Sat, 29 Oct 2016 19:28:18 +0000 (21:28 +0200)
committer	Stefan Richter <stefanr@s5r6.in-berlin.de>
	Thu, 3 Nov 2016 13:46:39 +0000 (14:46 +0100)
commit	2c8871811b268d91e7d5f12a35a1755bf3484875
tree	a73ac08b8ff287151a62bfadc8acf167a3837194	tree \| snapshot
parent	4a90dd0d6c2ed385e3fade75756ce8012c982624	commit \| diff

firewire: net: guard against rx buffer overflows

The IP-over-1394 driver firewire-net lacked input validation when
handling incoming fragmented datagrams.  A maliciously formed fragment
with a respectively large datagram_offset would cause a memcpy past the
datagram buffer.

So, drop any packets carrying a fragment with offset + length larger
than datagram_size.

In addition, ensure that
  - GASP header, unfragmented encapsulation header, or fragment
    encapsulation header actually exists before we access it,
  - the encapsulated datagram or fragment is of nonzero size.

Reported-by: Eyal Itkin <eyal.itkin@gmail.com>
Reviewed-by: Eyal Itkin <eyal.itkin@gmail.com>
Fixes: CVE 2016-8633
Cc: stable@vger.kernel.org
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>