commit ddb2c43594f22843e9f3153da151deaba1a834c5 · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

asn1: additional sanity checking during BER decoding

- Don't trust a length which is greater than the working buffer.
An invalid length could cause overflow when calculating buffer size
for decoding oid.

- An oid length of zero is invalid and allows for an off-by-one error when
decoding oid because the first subid actually encodes first 2 subids.

- A primitive encoding may not have an indefinite length.

Thanks to Wei Wang from McAfee for report.

Cc: Steven French <sfrench@us.ibm.com>
Cc: stable@kernel.org
Acked-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

authored by Chris Wright and committed by Linus Torvalds 17 years ago ddb2c435 efedf51c

+28

2 changed files

expand all

unified split

cifs

asn1.c

net

ipv4

netfilter

nf_nat_snmp_basic.c

+14

fs/cifs/asn1.c

··· 186 } 187 } 188 } 189 return 1; 190 } 191 ··· 206 return 0; 207 208 if (!asn1_length_decode(ctx, &def, &len)) 209 return 0; 210 211 if (def) ··· 398 unsigned long *optr; 399 400 size = eoc - ctx->pointer + 1; 401 *oid = kmalloc(size * sizeof(unsigned long), GFP_ATOMIC); 402 if (*oid == NULL) 403 return 0;

··· 186 } 187 } 188 } 189 + 190 + /* don't trust len bigger than ctx buffer */ 191 + if (*len > ctx->end - ctx->pointer) 192 + return 0; 193 + 194 return 1; 195 } 196 ··· 201 return 0; 202 203 if (!asn1_length_decode(ctx, &def, &len)) 204 + return 0; 205 + 206 + /* primitive shall be definite, indefinite shall be constructed */ 207 + if (*con == ASN1_PRI && !def) 208 return 0; 209 210 if (def) ··· 389 unsigned long *optr; 390 391 size = eoc - ctx->pointer + 1; 392 + 393 + /* first subid actually encodes first two subids */ 394 + if (size < 2 || size > ULONG_MAX/sizeof(unsigned long)) 395 + return 0; 396 + 397 *oid = kmalloc(size * sizeof(unsigned long), GFP_ATOMIC); 398 if (*oid == NULL) 399 return 0;

+14

net/ipv4/netfilter/nf_nat_snmp_basic.c

··· 232 } 233 } 234 } 235 return 1; 236 } 237 ··· 253 254 def = len = 0; 255 if (!asn1_length_decode(ctx, &def, &len)) 256 return 0; 257 258 if (def) ··· 443 unsigned long *optr; 444 445 size = eoc - ctx->pointer + 1; 446 *oid = kmalloc(size * sizeof(unsigned long), GFP_ATOMIC); 447 if (*oid == NULL) { 448 if (net_ratelimit())

··· 232 } 233 } 234 } 235 + 236 + /* don't trust len bigger than ctx buffer */ 237 + if (*len > ctx->end - ctx->pointer) 238 + return 0; 239 + 240 return 1; 241 } 242 ··· 248 249 def = len = 0; 250 if (!asn1_length_decode(ctx, &def, &len)) 251 + return 0; 252 + 253 + /* primitive shall be definite, indefinite shall be constructed */ 254 + if (*con == ASN1_PRI && !def) 255 return 0; 256 257 if (def) ··· 434 unsigned long *optr; 435 436 size = eoc - ctx->pointer + 1; 437 + 438 + /* first subid actually encodes first two subids */ 439 + if (size < 2 || size > ULONG_MAX/sizeof(unsigned long)) 440 + return 0; 441 + 442 *oid = kmalloc(size * sizeof(unsigned long), GFP_ATOMIC); 443 if (*oid == NULL) { 444 if (net_ratelimit())