Re: [PATCH net] rxrpc: Fix several cases where a padded len isn't checked in ticket decode

From: David Miller
Date: Thu Jun 15 2017 - 14:27:42 EST

Next message: Greg Kroah-Hartman: "[PATCH 4.9 011/108] ipv6: Inhibit IPv4-mapped src address on the wire."
Previous message: Greg Kroah-Hartman: "[PATCH 4.9 010/108] ipv6: Handle IPv4-mapped src to in6addr_any dst."
In reply to: David Howells: "[PATCH net] rxrpc: Fix several cases where a padded len isn't checked in ticket decode"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: David Howells <dhowells@xxxxxxxxxx>
Date: Thu, 15 Jun 2017 00:12:24 +0100

> This fixes CVE-2017-7482.
>
> When a kerberos 5 ticket is being decoded so that it can be loaded into an
> rxrpc-type key, there are several places in which the length of a
> variable-length field is checked to make sure that it's not going to
> overrun the available data - but the data is padded to the nearest
> four-byte boundary and the code doesn't check for this extra. This could
> lead to the size-remaining variable wrapping and the data pointer going
> over the end of the buffer.
>
> Fix this by making the various variable-length data checks use the padded
> length.
>
> Reported-by: 石磊 <shilei-c@xxxxxx>
> Signed-off-by: David Howells <dhowells@xxxxxxxxxx>
> Reviewed-by: Marc Dionne <marc.c.dionne@xxxxxxxxxxxx>
> Reviewed-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>

Applied, thanks David.

Next message: Greg Kroah-Hartman: "[PATCH 4.9 011/108] ipv6: Inhibit IPv4-mapped src address on the wire."
Previous message: Greg Kroah-Hartman: "[PATCH 4.9 010/108] ipv6: Handle IPv4-mapped src to in6addr_any dst."
In reply to: David Howells: "[PATCH net] rxrpc: Fix several cases where a padded len isn't checked in ticket decode"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]