rose: Add length checks to CALL_REQUEST parsing, CVE-2011-1493
authorBen Hutchings <ben@decadent.org.uk>
Thu, 28 Jul 2011 10:05:35 +0000 (11:05 +0100)
committerHerton Ronaldo Krzesinski <herton.krzesinski@canonical.com>
Mon, 29 Aug 2011 19:23:08 +0000 (16:23 -0300)
commit99d8dc2da554ed12a81e936cb7dd388f4ae69062
treee303e27fd1c8c4f4e90217392fe5bf6362cbc784
parent837a30c6f45eb795354e54394fa83f8890d3a142
rose: Add length checks to CALL_REQUEST parsing, CVE-2011-1493

Define some constant offsets for CALL_REQUEST based on the description
at <http://www.techfest.com/networking/wan/x25plp.htm> and the
definition of ROSE as using 10-digit (5-byte) addresses.  Use them
consistently.  Validate all implicit and explicit facilities lengths.
Validate the address length byte rather than either trusting or
assuming its value.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit e0bccd315db0c2f919e7fcf9cb60db21d9986f52)
CVE-2011-1493
BugLink: http://bugs.launchpad.net/bugs/816550
Signed-off-by: Andy Whitcroft <apw@canonical.com>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
include/net/rose.h
net/rose/af_rose.c
net/rose/rose_loopback.c
net/rose/rose_route.c
net/rose/rose_subr.c