Commit 57659042 authored by Dann Frazier's avatar Dann Frazier

* bugfix/nf_conntrack_h323-bounds-checking.patch

  [SECURITY] nf_conntrack_h323: add checking of out-of-range on choices'
  index values
  See CVE-2007-3642

svn path=/dists/etch-security/linux-2.6/; revision=9118
parent 330a77a3
...@@ -13,8 +13,12 @@ linux-2.6 (2.6.18.dfsg.1-13etch1) stable-security; urgency=high ...@@ -13,8 +13,12 @@ linux-2.6 (2.6.18.dfsg.1-13etch1) stable-security; urgency=high
[SECURITY] fix unpriveleged memory leak when a PPPoE socket is released [SECURITY] fix unpriveleged memory leak when a PPPoE socket is released
after connect but before PPPIOCGCHAN ioctl is called upon it after connect but before PPPIOCGCHAN ioctl is called upon it
See CVE-2007-2525 See CVE-2007-2525
* bugfix/nf_conntrack_h323-bounds-checking.patch
[SECURITY] nf_conntrack_h323: add checking of out-of-range on choices'
index values
See CVE-2007-3642
-- dann frazier <dannf@debian.org> Thu, 05 Jul 2007 22:35:14 -0600 -- dann frazier <dannf@debian.org> Wed, 11 Jul 2007 00:28:15 -0600
linux-2.6 (2.6.18.dfsg.1-13) stable; urgency=high linux-2.6 (2.6.18.dfsg.1-13) stable; urgency=high
......
From: Jing Min Zhao <zhaojingmin@vivecode.com>
Date: Fri, 6 Jul 2007 00:05:01 +0000 (-0700)
Subject: [NETFILTER]: nf_conntrack_h323: add checking of out-of-range on choices' index values
X-Git-Tag: v2.6.22~11^2~2
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=25845b5155b55cd77e42655ec24161ba3feffa47
[NETFILTER]: nf_conntrack_h323: add checking of out-of-range on choices' index values
Choices' index values may be out of range while still encoded in the fixed
length bit-field. This bug may cause access to undefined types (NULL
pointers) and thus crashes (Reported by Zhongling Wen).
This patch also adds checking of decode flag when decoding SEQUENCEs.
Signed-off-by: Jing Min Zhao <zhaojingmin@vivecode.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
Backported to Debian's 2.6.18 by dann frazier <dannf@debian.org>
diff -urpN linux-source-2.6.18.orig/net/ipv4/netfilter/ip_conntrack_helper_h323_asn1.c linux-source-2.6.18/net/ipv4/netfilter/ip_conntrack_helper_h323_asn1.c
--- linux-source-2.6.18.orig/net/ipv4/netfilter/ip_conntrack_helper_h323_asn1.c 2006-09-19 21:42:06.000000000 -0600
+++ linux-source-2.6.18/net/ipv4/netfilter/ip_conntrack_helper_h323_asn1.c 2007-07-11 00:23:22.000000000 -0600
@@ -518,7 +518,7 @@ int decode_seq(bitstr_t * bs, field_t *
CHECK_BOUND(bs, 2);
len = get_len(bs);
CHECK_BOUND(bs, len);
- if (!base) {
+ if (!base || !(son->attr & DECODE)) {
PRINT("%*.s%s\n", (level + 1) * TAB_SIZE,
" ", son->name);
bs->cur += len;
@@ -704,6 +704,8 @@ int decode_choice(bitstr_t * bs, field_t
} else {
ext = 0;
type = get_bits(bs, f->sz);
+ if (type >= f->lb)
+ return H323_ERROR_RANGE;
}
/* Write Type */
...@@ -3,3 +3,4 @@ ...@@ -3,3 +3,4 @@
+ bugfix/fat-fix-compat-ioctls.patch + bugfix/fat-fix-compat-ioctls.patch
+ bugfix/usblcd-limit-memory-consumption.patch + bugfix/usblcd-limit-memory-consumption.patch
+ bugfix/pppoe-socket-release-mem-leak.patch + bugfix/pppoe-socket-release-mem-leak.patch
+ bugfix/nf_conntrack_h323-bounds-checking.patch
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment