netsniff-ng.git - A high-performance Linux networking toolkit

Age	Commit message (Expand)	Author	Files	Lines
2013-06-04	xutils: break out string handling and locking	Daniel Borkmann	1	-0/+88

'>ignoremode:

author	Stefan Richter <stefanr@s5r6.in-berlin.de>	2016-10-29 21:28:18 +0200
committer	Stefan Richter <stefanr@s5r6.in-berlin.de>	2016-11-03 14:46:39 +0100
commit	667121ace9dbafb368618dbabcf07901c962ddac (patch)
tree	a73ac08b8ff287151a62bfadc8acf167a3837194
parent	6449e31ddebdce68508cfaf0915d31aad3835f4f (diff)

firewire: net: guard against rx buffer overflows

The IP-over-1394 driver firewire-net lacked input validation when handling incoming fragmented datagrams. A maliciously formed fragment with a respectively large datagram_offset would cause a memcpy past the datagram buffer. So, drop any packets carrying a fragment with offset + length larger than datagram_size. In addition, ensure that - GASP header, unfragmented encapsulation header, or fragment encapsulation header actually exists before we access it, - the encapsulated datagram or fragment is of nonzero size. Reported-by: Eyal Itkin <eyal.itkin@gmail.com> Reviewed-by: Eyal Itkin <eyal.itkin@gmail.com> Fixes: CVE 2016-8633 Cc: stable@vger.kernel.org Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>

Diffstat