From: Anton Arapov <aarapov@redhat.com>
Date: Fri, 30 May 2008 10:50:58 +0200
Subject: [misc] buffer overflow in ASN.1 parsing routines
Message-id: 483FBFF2.1040904@redhat.com
O-Subject: [kernel team] [PATCH RHEL5] BZ#444465: possible buffer overflow in ASN.1 parsing routines {CVE-2008-1673}
Bugzilla: 444465
RH-Acked-by: Neil Horman <nhorman@redhat.com>
RH-Acked-by: James Morris <jmorris@redhat.com>
RH-Acked-by: Jeff Layton <jlayton@redhat.com>
Bugzilla: 444465
Details:
Due to an error in cifs filesytem and ip_nat_snmp_basic in the ASN.1
decoder when handling length BER encodings. This flaw can be remotely
exploited by remote attackers to cause a vulnerable system to hang or
even to execute arbitrary code in kernel mode.
Upstream status:
not in upstream, embargoed
Test status:
has been tested for build and boot.
http://brewweb.devel.redhat.com/brew/taskinfo?taskID=1338875
Notice:
CVE-2008-1673
bz#444463 is a clone for RHEL4
==
fs/cifs/asn1.c | 5 +++++
net/ipv4/netfilter/ip_nat_snmp_basic.c | 5 +++++
2 files changed, 10 insertions(+), 0 deletions(-)
diff --git a/fs/cifs/asn1.c b/fs/cifs/asn1.c
index 2a01f3e..9fbbae8 100644
--- a/fs/cifs/asn1.c
+++ b/fs/cifs/asn1.c
@@ -182,6 +182,11 @@ asn1_length_decode(struct asn1_ctx *ctx, unsigned int *def, unsigned int *len)
}
}
}
+
+ /* don't trust len bigger than ctx buffer */
+ if (*len > ctx->end - ctx->pointer)
+ return 0;
+
return 1;
}
diff --git a/net/ipv4/netfilter/ip_nat_snmp_basic.c b/net/ipv4/netfilter/ip_nat_snmp_basic.c
index 18b7fbd..6fc60ca 100644
--- a/net/ipv4/netfilter/ip_nat_snmp_basic.c
+++ b/net/ipv4/netfilter/ip_nat_snmp_basic.c
@@ -235,6 +235,11 @@ static unsigned char asn1_length_decode(struct asn1_ctx *ctx,
}
}
}
+
+ /* don't trust len bigger than ctx buffer */
+ if (*len > ctx->end - ctx->pointer)
+ return 0;
+
return 1;
}
distrib
>
Scientific%20Linux
>
5x
>
x86_64
>
by-pkgid
>
27922b4260f65d317aabda37e42bbbff
>
files
>
1860
