review.tizen.org Git - platform/kernel/linux-exynos.git/commit

author	Stefan Richter <stefanr@s5r6.in-berlin.de>
	Sat, 29 Oct 2016 19:28:18 +0000 (21:28 +0200)
committer	Sasha Levin <alexander.levin@verizon.com>
	Sat, 26 Nov 2016 03:57:03 +0000 (22:57 -0500)
commit	c604dec3d5a695efed5492fc463ef70ef8010bbe
tree	956340cad66ecde0a5845eec9784cdbbfa0569cb	tree \| snapshot
parent	9fe6256c0020a220fdbd096886a40de1a5a73388	commit \| diff

firewire: net: guard against rx buffer overflows

[ Upstream commit 667121ace9dbafb368618dbabcf07901c962ddac ]

The IP-over-1394 driver firewire-net lacked input validation when
handling incoming fragmented datagrams.  A maliciously formed fragment
with a respectively large datagram_offset would cause a memcpy past the
datagram buffer.

So, drop any packets carrying a fragment with offset + length larger
than datagram_size.

In addition, ensure that
  - GASP header, unfragmented encapsulation header, or fragment
    encapsulation header actually exists before we access it,
  - the encapsulated datagram or fragment is of nonzero size.

Reported-by: Eyal Itkin <eyal.itkin@gmail.com>
Reviewed-by: Eyal Itkin <eyal.itkin@gmail.com>
Fixes: CVE 2016-8633
Cc: stable@vger.kernel.org
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>