Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit dff462fc authored by Stefan Richter's avatar Stefan Richter Committed by Sasha Levin
Browse files

firewire: net: guard against rx buffer overflows 



[ Upstream commit 667121ace9dbafb368618dbabcf07901c962ddac ]

The IP-over-1394 driver firewire-net lacked input validation when
handling incoming fragmented datagrams.  A maliciously formed fragment
with a respectively large datagram_offset would cause a memcpy past the
datagram buffer.

So, drop any packets carrying a fragment with offset + length larger
than datagram_size.

In addition, ensure that
  - GASP header, unfragmented encapsulation header, or fragment
    encapsulation header actually exists before we access it,
  - the encapsulated datagram or fragment is of nonzero size.

Reported-by: default avatarEyal Itkin <eyal.itkin@gmail.com>
Reviewed-by: default avatarEyal Itkin <eyal.itkin@gmail.com>
Fixes: CVE 2016-8633
Cc: stable@vger.kernel.org
Signed-off-by: default avatarStefan Richter <stefanr@s5r6.in-berlin.de>
Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
parent 056bcad9
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment