aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChris Wright <chrisw@sous-sol.org>2008-07-14 21:09:23 +0300
committerAdrian Bunk <bunk@kernel.org>2008-07-14 21:09:23 +0300
commitce76a6f4392d1f1ca37fe9514daa69a99db2fcb7 (patch)
tree2238a46b0a920f375062422a008d5ed4708d837e
parentb9954f3d67c9f9e8611ec6c94955eecc0e309a26 (diff)
downloadlinux-linaro-stable-ce76a6f4392d1f1ca37fe9514daa69a99db2fcb7.tar.gz
asn1: additional sanity checking during BER decoding (CVE-2008-1673)
- Don't trust a length which is greater than the working buffer. An invalid length could cause overflow when calculating buffer size for decoding oid. - An oid length of zero is invalid and allows for an off-by-one error when decoding oid because the first subid actually encodes first 2 subids. - A primitive encoding may not have an indefinite length. Thanks to Wei Wang from McAfee for report. Acked-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Adrian Bunk <bunk@kernel.org>
-rw-r--r--fs/cifs/asn1.c14
-rw-r--r--net/ipv4/netfilter/ip_nat_snmp_basic.c14
2 files changed, 28 insertions, 0 deletions
diff --git a/fs/cifs/asn1.c b/fs/cifs/asn1.c
index 086ae8f4a207..dcafda8315c3 100644
--- a/fs/cifs/asn1.c
+++ b/fs/cifs/asn1.c
@@ -183,6 +183,11 @@ asn1_length_decode(struct asn1_ctx *ctx, unsigned int *def, unsigned int *len)
}
}
}
+
+ /* don't trust len bigger than ctx buffer */
+ if (*len > ctx->end - ctx->pointer)
+ return 0;
+
return 1;
}
@@ -200,6 +205,10 @@ asn1_header_decode(struct asn1_ctx *ctx,
if (!asn1_length_decode(ctx, &def, &len))
return 0;
+ /* primitive shall be definite, indefinite shall be constructed */
+ if (*con == ASN1_PRI && !def)
+ return 0;
+
if (def)
*eoc = ctx->pointer + len;
else
@@ -386,6 +395,11 @@ asn1_oid_decode(struct asn1_ctx *ctx,
unsigned long *optr;
size = eoc - ctx->pointer + 1;
+
+ /* first subid actually encodes first two subids */
+ if (size < 2 || size > ULONG_MAX/sizeof(unsigned long))
+ return 0;
+
*oid = kmalloc(size * sizeof (unsigned long), GFP_ATOMIC);
if (*oid == NULL) {
return 0;
diff --git a/net/ipv4/netfilter/ip_nat_snmp_basic.c b/net/ipv4/netfilter/ip_nat_snmp_basic.c
index df57e7a117db..5a9c8dbdfcad 100644
--- a/net/ipv4/netfilter/ip_nat_snmp_basic.c
+++ b/net/ipv4/netfilter/ip_nat_snmp_basic.c
@@ -236,6 +236,11 @@ static unsigned char asn1_length_decode(struct asn1_ctx *ctx,
}
}
}
+
+ /* don't trust len bigger than ctx buffer */
+ if (*len > ctx->end - ctx->pointer)
+ return 0;
+
return 1;
}
@@ -253,6 +258,10 @@ static unsigned char asn1_header_decode(struct asn1_ctx *ctx,
if (!asn1_length_decode(ctx, &def, &len))
return 0;
+ /* primitive shall be definite, indefinite shall be constructed */
+ if (*con == ASN1_PRI && !def)
+ return 0;
+
if (def)
*eoc = ctx->pointer + len;
else
@@ -437,6 +446,11 @@ static unsigned char asn1_oid_decode(struct asn1_ctx *ctx,
unsigned long *optr;
size = eoc - ctx->pointer + 1;
+
+ /* first subid actually encodes first two subids */
+ if (size < 2 || size > ULONG_MAX/sizeof(unsigned long))
+ return 0;
+
*oid = kmalloc(size * sizeof(unsigned long), GFP_ATOMIC);
if (*oid == NULL) {
if (net_ratelimit())