rose: Add length checks to CALL_REQUEST parsing, CVE-2011-1493
authorBen Hutchings <ben@decadent.org.uk>
Thu, 28 Jul 2011 10:05:34 +0000 (11:05 +0100)
committerTim Gardner <tim.gardner@canonical.com>
Thu, 28 Jul 2011 13:08:26 +0000 (07:08 -0600)
commitc1c3252ce9e1853d23b5e7b128acbdb4d9594f09
tree3c7e772984a27c5b17b75eb76058c7ec39d3fded
parent1ccbea50981ed17ceece93327cbf82d89b429c6d
rose: Add length checks to CALL_REQUEST parsing, CVE-2011-1493

Define some constant offsets for CALL_REQUEST based on the description
at <http://www.techfest.com/networking/wan/x25plp.htm> and the
definition of ROSE as using 10-digit (5-byte) addresses.  Use them
consistently.  Validate all implicit and explicit facilities lengths.
Validate the address length byte rather than either trusting or
assuming its value.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit e0bccd315db0c2f919e7fcf9cb60db21d9986f52)
CVE-2011-1493
BugLink: http://bugs.launchpad.net/bugs/816550
Signed-off-by: Andy Whitcroft <apw@canonical.com>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
include/net/rose.h
net/rose/af_rose.c
net/rose/rose_loopback.c
net/rose/rose_route.c
net/rose/rose_subr.c