[Patch] dvb-core: Proper handling ULE SNDU length of 0

From: Ang Way Chuang
Date: Sun Aug 20 2006 - 23:54:31 EST

Next message: Ian Kent: "[PATCH] autofs4 - autofs4_follow_link false negative fix"
Previous message: Jesse Huang: "Re: [PATCH 5/6] IP100A correct init and close step"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

ULE (Unidirectional Lightweight Encapsulation RFC 4326) decapsulation code
has a bug that allows an attacker to send a malformed ULE packet with SNDU
length of 0 and bring down the receiving machine. This patch fix the bug and
apply to kernel 2.6.17.8.

Signed-off-by: Ang Way Chuang <wcang@xxxxxxxxxxxxx>
---

diff -uprN linux-2.6.17.8/drivers/media/dvb/dvb-core/dvb_net.c linux-2.6.17.8-fix/drivers/media/dvb/dvb-core/dvb_net.c
--- linux-2.6.17.8/drivers/media/dvb/dvb-core/dvb_net.c 2006-08-07 12:18:54.000000000 +0800
+++ linux-2.6.17.8-fix/drivers/media/dvb/dvb-core/dvb_net.c 2006-08-21 11:09:12.000000000 +0800
@@ -492,7 +492,7 @@ static void dvb_net_ule( struct net_devi
} else
priv->ule_dbit = 0;

- if (priv->ule_sndu_len > 32763) {
+ if (priv->ule_sndu_len > 32763 || priv->ule_sndu_len < ((priv->ule_dbit) ? 4 : 4 + ETH_ALEN)) {
printk(KERN_WARNING "%lu: Invalid ULE SNDU length %u. "
"Resyncing.\n", priv->ts_count, priv->ule_sndu_len);
priv->ule_sndu_len = 0;

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Ian Kent: "[PATCH] autofs4 - autofs4_follow_link false negative fix"
Previous message: Jesse Huang: "Re: [PATCH 5/6] IP100A correct init and close step"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]