net · v2.6.25.5 · Upstream / linux-stable

asn1: additional sanity checking during BER decoding (CVE-2008-1673)

Chris Wright authored 17 years ago

upstream commit: ddb2c435



- Don't trust a length which is greater than the working buffer.
  An invalid length could cause overflow when calculating buffer size
  for decoding oid.

- An oid length of zero is invalid and allows for an off-by-one error when
  decoding oid because the first subid actually encodes first 2 subids.

- A primitive encoding may not have an indefinite length.

Thanks to Wei Wang from McAfee for report.

Cc: Steven French <sfrench@us.ibm.com>
Cc: stable@kernel.org
Acked-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

33afb840

Name	Last commit	Last update
..
802	[TR] net/802/tr.c: sysctl_tr_rif_timeout static	17 years ago
8021q	[VLAN]: Fix egress priority mappings leak.	17 years ago
9p	net/9p/trans_fd.c:p9_trans_fd_init(): module_init functions should return 0 on success	17 years ago
appletalk	[APPLETALK]: Use proc_create() to setup ->proc_fops first	17 years ago
atm	[NET]: Undo code bloat in hot paths due to print_mac().	17 years ago
ax25	[AX25]: Potential ax25_uid_assoc-s leaks on module unload.	17 years ago
bluetooth	bluetooth : __rfcomm_dlc_close lock fix	17 years ago
bridge	[BRIDGE]: Fix crash in __ip_route_output_key with bridge netfilter	17 years ago
can	can: Fix can_send() handling on dev_queue_xmit() failures	17 years ago
core	RTNETLINK: Fix bogus ASSERT_RTNL warning	17 years ago
dccp	dccp: return -EINVAL on invalid feature length	17 years ago
decnet	[DECNET] ROUTE: remove unecessary alignment	17 years ago
econet	[NET]: Convert init_timer into setup_timer	17 years ago
ethernet	[NET]: Return more appropriate error from eth_validate_addr().	17 years ago
ieee80211	[NET]: Undo code bloat in hot paths due to print_mac().	17 years ago
ipv4	asn1: additional sanity checking during BER decoding (CVE-2008-1673)	16 years ago
ipv6	{nfnetlink, ip, ip6}_queue: fix skb_over_panic when enlarging packets	17 years ago
ipx	[IPX]: Use proc_create() to setup ->proc_fops first	17 years ago
irda	[IRDA]: Store irnet_socket termios properly.	17 years ago
iucv	iucv: fix build error on !SMP	17 years ago
key	IPSEC: Fix catch-22 with algorithm IDs above 31	17 years ago
lapb	[LAPB] net/lapb/lapb_iface.c: use LIST_HEAD instead of LIST_HEAD_INIT	17 years ago
llc	[LLC]: skb allocation size for responses	17 years ago
mac80211	mac80211: remove message on receiving unexpected unencrypted frames	17 years ago
netfilter	{nfnetlink, ip, ip6}_queue: fix skb_over_panic when enlarging packets	17 years ago
netlabel
netlink
netrom
packet
rfkill
rose
rxrpc
sched
sctp
sunrpc
tipc
unix
wanrouter
wireless
x25
xfrm
Kconfig
Makefile
TUNABLE
compat.c
nonet.c
socket.c
sysctl_net.c

GitLab

Menu

Download source code

Download this directory