* [PATCH] irda: validate peer name and attribute lengths
@ 2011-03-21 1:32 Dan Rosenberg
2011-03-21 11:32 ` Dan Rosenberg
2011-03-28 0:59 ` David Miller
0 siblings, 2 replies; 3+ messages in thread
From: Dan Rosenberg @ 2011-03-21 1:32 UTC (permalink / raw)
To: Samuel Ortiz, David S. Miller; +Cc: netdev, security
Length fields provided by a peer for names and attributes may be longer
than the destination array sizes. Validate lengths to prevent stack
buffer overflows.
Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: stable@kernel.org
---
net/irda/iriap.c | 6 ++++++
1 files changed, 6 insertions(+), 0 deletions(-)
diff --git a/net/irda/iriap.c b/net/irda/iriap.c
index 5b743bd..3647753 100644
--- a/net/irda/iriap.c
+++ b/net/irda/iriap.c
@@ -656,10 +656,16 @@ static void iriap_getvaluebyclass_indication(struct iriap_cb *self,
n = 1;
name_len = fp[n++];
+
+ IRDA_ASSERT(name_len < IAS_MAX_CLASSNAME + 1, return;);
+
memcpy(name, fp+n, name_len); n+=name_len;
name[name_len] = '\0';
attr_len = fp[n++];
+
+ IRDA_ASSERT(attr_len < IAS_MAX_ATTRIBNAME + 1, return;);
+
memcpy(attr, fp+n, attr_len); n+=attr_len;
attr[attr_len] = '\0';
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] irda: validate peer name and attribute lengths
2011-03-21 1:32 [PATCH] irda: validate peer name and attribute lengths Dan Rosenberg
@ 2011-03-21 11:32 ` Dan Rosenberg
2011-03-28 0:59 ` David Miller
1 sibling, 0 replies; 3+ messages in thread
From: Dan Rosenberg @ 2011-03-21 11:32 UTC (permalink / raw)
To: Samuel Ortiz; +Cc: David S. Miller, netdev, security
On Sun, 2011-03-20 at 21:32 -0400, Dan Rosenberg wrote:
> Length fields provided by a peer for names and attributes may be longer
> than the destination array sizes. Validate lengths to prevent stack
> buffer overflows.
>
While this is the most serious bug I see, this function also seems to
lack any validation against skb->len. If someone wants to take care of
this, by all means...if not, I'll post a follow-up patch in the next day
or so.
-Dan
> Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
> Cc: stable@kernel.org
> ---
> net/irda/iriap.c | 6 ++++++
> 1 files changed, 6 insertions(+), 0 deletions(-)
>
> diff --git a/net/irda/iriap.c b/net/irda/iriap.c
> index 5b743bd..3647753 100644
> --- a/net/irda/iriap.c
> +++ b/net/irda/iriap.c
> @@ -656,10 +656,16 @@ static void iriap_getvaluebyclass_indication(struct iriap_cb *self,
> n = 1;
>
> name_len = fp[n++];
> +
> + IRDA_ASSERT(name_len < IAS_MAX_CLASSNAME + 1, return;);
> +
> memcpy(name, fp+n, name_len); n+=name_len;
> name[name_len] = '\0';
>
> attr_len = fp[n++];
> +
> + IRDA_ASSERT(attr_len < IAS_MAX_ATTRIBNAME + 1, return;);
> +
> memcpy(attr, fp+n, attr_len); n+=attr_len;
> attr[attr_len] = '\0';
>
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] irda: validate peer name and attribute lengths
2011-03-21 1:32 [PATCH] irda: validate peer name and attribute lengths Dan Rosenberg
2011-03-21 11:32 ` Dan Rosenberg
@ 2011-03-28 0:59 ` David Miller
1 sibling, 0 replies; 3+ messages in thread
From: David Miller @ 2011-03-28 0:59 UTC (permalink / raw)
To: drosenberg; +Cc: samuel, netdev, security
From: Dan Rosenberg <drosenberg@vsecurity.com>
Date: Sun, 20 Mar 2011 21:32:06 -0400
> Length fields provided by a peer for names and attributes may be longer
> than the destination array sizes. Validate lengths to prevent stack
> buffer overflows.
>
> Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
> Cc: stable@kernel.org
Applied.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2011-03-28 1:00 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-03-21 1:32 [PATCH] irda: validate peer name and attribute lengths Dan Rosenberg
2011-03-21 11:32 ` Dan Rosenberg
2011-03-28 0:59 ` David Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).