Dan Rosenberg 454240b948 ROSE: prevent heap corruption with bad facilities ... commit be20250c13 upstream. When parsing the FAC_NATIONAL_DIGIS facilities field, it's possible for a remote host to provide more digipeaters than expected, resulting in heap corruption. Check against ROSE_MAX_DIGIS to prevent overflows, and abort facilities parsing on failure. Additionally, when parsing the FAC_CCITT_DEST_NSAP and FAC_CCITT_SRC_NSAP facilities fields, a remote host can provide a length of less than 10, resulting in an underflow in a memcpy size, causing a kernel panic due to massive heap corruption. A length of greater than 20 results in a stack overflow of the callsign array. Abort facilities parsing on these invalid length values. Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>		2011-04-30 16:53:27 +02:00
..
af_rose.c	rose: Fix signedness issues wrt. digi count.	2010-12-09 13:24:19 -08:00
Makefile	Linux-2.6.12-rc2	2005-04-16 15:20:36 -07:00
rose_dev.c	[ROSE]: Trivial compilation CONFIG_INET=n case	2007-12-05 05:37:28 -08:00
rose_in.c	[ROSE]: Supress sparse warnings	2008-01-28 15:02:44 -08:00
rose_link.c	[ROSE]: Eleminate HZ from ROSE kernel interfaces	2006-05-03 23:28:20 -07:00
rose_loopback.c	[ROSE]: Fix rose.ko oops on unload	2007-10-07 23:44:17 -07:00
rose_out.c	[PATCH] remove many unneeded #includes of sched.h	2007-02-14 08:09:54 -08:00
rose_route.c	rose: improving AX25 routing frames via ROSE network	2008-06-17 17:08:32 -07:00
rose_subr.c	ROSE: prevent heap corruption with bad facilities	2011-04-30 16:53:27 +02:00
rose_timer.c	[ROSE]: rose_heartbeat_expiry() locking fix	2005-10-31 16:41:45 -02:00
sysctl_net_rose.c	[NET]: Simple ctl_table to ctl_path conversions.	2008-01-28 15:01:07 -08:00