Commit a55d3d57 authored by Dann Frazier's avatar Dann Frazier

* bugfix/dn_fib-out-of-bounds.patch

  See CVE-2007-2172

svn path=/dists/etch-security/linux-2.6/; revision=9127
parent 57659042
......@@ -17,8 +17,11 @@ linux-2.6 (2.6.18.dfsg.1-13etch1) stable-security; urgency=high
[SECURITY] nf_conntrack_h323: add checking of out-of-range on choices'
index values
See CVE-2007-3642
* bugfix/dn_fib-out-of-bounds.patch
[SECURITY] Fix out of bounds condition in dn_fib_props[]
See CVE-2007-2172
-- dann frazier <dannf@debian.org> Wed, 11 Jul 2007 00:28:15 -0600
-- dann frazier <dannf@debian.org> Thu, 12 Jul 2007 23:30:55 -0600
linux-2.6 (2.6.18.dfsg.1-13) stable; urgency=high
......
commit a979101106f549f4ed80d6dcbc35077be34d4346
Author: Thomas Graf <tgraf@suug.ch>
Date: Sat Mar 24 20:33:27 2007 -0700
[DECNet] fib: Fix out of bound access of dn_fib_props[]
Fixes a typo which caused fib_props[] to have the wrong size
and makes sure the value used to index the array which is
provided by userspace via netlink is checked to avoid out of
bound access.
Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
diff --git a/net/decnet/dn_fib.c b/net/decnet/dn_fib.c
index 3cbfddc..82d58a9 100644
--- a/net/decnet/dn_fib.c
+++ b/net/decnet/dn_fib.c
@@ -63,7 +63,7 @@ static struct
{
int error;
u8 scope;
-} dn_fib_props[RTA_MAX+1] = {
+} dn_fib_props[RTN_MAX+1] = {
[RTN_UNSPEC] = { .error = 0, .scope = RT_SCOPE_NOWHERE },
[RTN_UNICAST] = { .error = 0, .scope = RT_SCOPE_UNIVERSE },
[RTN_LOCAL] = { .error = 0, .scope = RT_SCOPE_HOST },
@@ -276,6 +276,9 @@ struct dn_fib_info *dn_fib_create_info(const struct rtmsg *r, struct dn_kern_rta
struct dn_fib_info *ofi;
int nhs = 1;
+ if (r->rtm_type > RTN_MAX)
+ goto err_inval;
+
if (dn_fib_props[r->rtm_type].scope > r->rtm_scope)
goto err_inval;
......@@ -4,3 +4,4 @@
+ bugfix/usblcd-limit-memory-consumption.patch
+ bugfix/pppoe-socket-release-mem-leak.patch
+ bugfix/nf_conntrack_h323-bounds-checking.patch
+ bugfix/dn_fib-out-of-bounds.patch
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment