From: Anton Arapov <aarapov@redhat.com> Date: Fri, 30 May 2008 10:50:58 +0200 Subject: [misc] buffer overflow in ASN.1 parsing routines Message-id: 483FBFF2.1040904@redhat.com O-Subject: [kernel team] [PATCH RHEL5] BZ#444465: possible buffer overflow in ASN.1 parsing routines {CVE-2008-1673} Bugzilla: 444465 RH-Acked-by: Neil Horman <nhorman@redhat.com> RH-Acked-by: James Morris <jmorris@redhat.com> RH-Acked-by: Jeff Layton <jlayton@redhat.com> Bugzilla: 444465 Details: Due to an error in cifs filesytem and ip_nat_snmp_basic in the ASN.1 decoder when handling length BER encodings. This flaw can be remotely exploited by remote attackers to cause a vulnerable system to hang or even to execute arbitrary code in kernel mode. Upstream status: not in upstream, embargoed Test status: has been tested for build and boot. http://brewweb.devel.redhat.com/brew/taskinfo?taskID=1338875 Notice: CVE-2008-1673 bz#444463 is a clone for RHEL4 == fs/cifs/asn1.c | 5 +++++ net/ipv4/netfilter/ip_nat_snmp_basic.c | 5 +++++ 2 files changed, 10 insertions(+), 0 deletions(-) diff --git a/fs/cifs/asn1.c b/fs/cifs/asn1.c index 2a01f3e..9fbbae8 100644 --- a/fs/cifs/asn1.c +++ b/fs/cifs/asn1.c @@ -182,6 +182,11 @@ asn1_length_decode(struct asn1_ctx *ctx, unsigned int *def, unsigned int *len) } } } + + /* don't trust len bigger than ctx buffer */ + if (*len > ctx->end - ctx->pointer) + return 0; + return 1; } diff --git a/net/ipv4/netfilter/ip_nat_snmp_basic.c b/net/ipv4/netfilter/ip_nat_snmp_basic.c index 18b7fbd..6fc60ca 100644 --- a/net/ipv4/netfilter/ip_nat_snmp_basic.c +++ b/net/ipv4/netfilter/ip_nat_snmp_basic.c @@ -235,6 +235,11 @@ static unsigned char asn1_length_decode(struct asn1_ctx *ctx, } } } + + /* don't trust len bigger than ctx buffer */ + if (*len > ctx->end - ctx->pointer) + return 0; + return 1; }