releases/2.6.25.5/asn1-additional-sanity-checking-during-ber-decoding.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From ddb2c43594f22843e9f3153da151deaba1a834c5 Mon Sep 17 00:00:00 2001
 From: Chris Wright <chrisw@sous-sol.org>
 Date: Wed, 4 Jun 2008 09:16:33 -0700
 Subject: asn1: additional sanity checking during BER decoding (CVE-2008-1673)

 From: Chris Wright <chrisw@sous-sol.org>

 upstream commit: ddb2c43594f22843e9f3153da151deaba1a834c5

 - Don't trust a length which is greater than the working buffer.
   An invalid length could cause overflow when calculating buffer size
   for decoding oid.

 - An oid length of zero is invalid and allows for an off-by-one error when
   decoding oid because the first subid actually encodes first 2 subids.

 - A primitive encoding may not have an indefinite length.

 Thanks to Wei Wang from McAfee for report.

 Cc: Steven French <sfrench@us.ibm.com>
 Cc: stable@kernel.org
 Acked-by: Patrick McHardy <kaber@trash.net>
 Signed-off-by: Chris Wright <chrisw@sous-sol.org>
 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
 ---
  fs/cifs/asn1.c                         |   14 ++++++++++++++
  net/ipv4/netfilter/nf_nat_snmp_basic.c |   14 ++++++++++++++
  2 files changed, 28 insertions(+)

 --- a/fs/cifs/asn1.c
 +++ b/fs/cifs/asn1.c
 @@ -186,6 +186,11 @@ asn1_length_decode(struct asn1_ctx *ctx,
  			}
  		}
  	}
 +
 +	/* don't trust len bigger than ctx buffer */
 +	if (*len > ctx->end - ctx->pointer)
 +		return 0;
 +
  	return 1;
  }

 @@ -203,6 +208,10 @@ asn1_header_decode(struct asn1_ctx *ctx,
  	if (!asn1_length_decode(ctx, &def, &len))
  		return 0;

 +	/* primitive shall be definite, indefinite shall be constructed */
 +	if (*con == ASN1_PRI && !def)
 +		return 0;
 +
  	if (def)
  		*eoc = ctx->pointer + len;
  	else
 @@ -389,6 +398,11 @@ asn1_oid_decode(struct asn1_ctx *ctx,
  	unsigned long *optr;

  	size = eoc - ctx->pointer + 1;
 +
 +	/* first subid actually encodes first two subids */
 +	if (size < 2 || size > ULONG_MAX/sizeof(unsigned long))
 +		return 0;
 +
  	*oid = kmalloc(size * sizeof(unsigned long), GFP_ATOMIC);
  	if (*oid == NULL)
  		return 0;
 --- a/net/ipv4/netfilter/nf_nat_snmp_basic.c
 +++ b/net/ipv4/netfilter/nf_nat_snmp_basic.c
 @@ -231,6 +231,11 @@ static unsigned char asn1_length_decode(
  			}
  		}
  	}
 +
 +	/* don't trust len bigger than ctx buffer */
 +	if (*len > ctx->end - ctx->pointer)
 +		return 0;
 +
  	return 1;
  }

 @@ -249,6 +254,10 @@ static unsigned char asn1_header_decode(
  	if (!asn1_length_decode(ctx, &def, &len))
  		return 0;

 +	/* primitive shall be definite, indefinite shall be constructed */
 +	if (*con == ASN1_PRI && !def)
 +		return 0;
 +
  	if (def)
  		*eoc = ctx->pointer + len;
  	else
 @@ -433,6 +442,11 @@ static unsigned char asn1_oid_decode(str
  	unsigned long *optr;

  	size = eoc - ctx->pointer + 1;
 +
 +	/* first subid actually encodes first two subids */
 +	if (size < 2 || size > ULONG_MAX/sizeof(unsigned long))
 +		return 0;
 +
  	*oid = kmalloc(size * sizeof(unsigned long), GFP_ATOMIC);
  	if (*oid == NULL) {
  		if (net_ratelimit())
	From ddb2c43594f22843e9f3153da151deaba1a834c5 Mon Sep 17 00:00:00 2001
	From: Chris Wright <chrisw@sous-sol.org>
	Date: Wed, 4 Jun 2008 09:16:33 -0700
	Subject: asn1: additional sanity checking during BER decoding (CVE-2008-1673)

	From: Chris Wright <chrisw@sous-sol.org>

	upstream commit: ddb2c43594f22843e9f3153da151deaba1a834c5

	- Don't trust a length which is greater than the working buffer.
	An invalid length could cause overflow when calculating buffer size
	for decoding oid.

	- An oid length of zero is invalid and allows for an off-by-one error when
	decoding oid because the first subid actually encodes first 2 subids.

	- A primitive encoding may not have an indefinite length.

	Thanks to Wei Wang from McAfee for report.

	Cc: Steven French <sfrench@us.ibm.com>
	Cc: stable@kernel.org
	Acked-by: Patrick McHardy <kaber@trash.net>
	Signed-off-by: Chris Wright <chrisw@sous-sol.org>
	Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
	---
	fs/cifs/asn1.c \| 14 ++++++++++++++
	net/ipv4/netfilter/nf_nat_snmp_basic.c \| 14 ++++++++++++++
	2 files changed, 28 insertions(+)

	--- a/fs/cifs/asn1.c
	+++ b/fs/cifs/asn1.c
	@@ -186,6 +186,11 @@ asn1_length_decode(struct asn1_ctx *ctx,
	}
	}
	}
	+
	+ /* don't trust len bigger than ctx buffer */
	+ if (*len > ctx->end - ctx->pointer)
	+ return 0;
	+
	return 1;
	}

	@@ -203,6 +208,10 @@ asn1_header_decode(struct asn1_ctx *ctx,
	if (!asn1_length_decode(ctx, &def, &len))
	return 0;

	+ /* primitive shall be definite, indefinite shall be constructed */
	+ if (*con == ASN1_PRI && !def)
	+ return 0;
	+
	if (def)
	*eoc = ctx->pointer + len;
	else
	@@ -389,6 +398,11 @@ asn1_oid_decode(struct asn1_ctx *ctx,
	unsigned long *optr;

	size = eoc - ctx->pointer + 1;
	+
	+ /* first subid actually encodes first two subids */
	+ if (size < 2 \|\| size > ULONG_MAX/sizeof(unsigned long))
	+ return 0;
	+
	oid = kmalloc(size sizeof(unsigned long), GFP_ATOMIC);
	if (*oid == NULL)
	return 0;
	--- a/net/ipv4/netfilter/nf_nat_snmp_basic.c
	+++ b/net/ipv4/netfilter/nf_nat_snmp_basic.c
	@@ -231,6 +231,11 @@ static unsigned char asn1_length_decode(
	}
	}
	}
	+
	+ /* don't trust len bigger than ctx buffer */
	+ if (*len > ctx->end - ctx->pointer)
	+ return 0;
	+
	return 1;
	}

	@@ -249,6 +254,10 @@ static unsigned char asn1_header_decode(
	if (!asn1_length_decode(ctx, &def, &len))
	return 0;

	+ /* primitive shall be definite, indefinite shall be constructed */
	+ if (*con == ASN1_PRI && !def)
	+ return 0;
	+
	if (def)
	*eoc = ctx->pointer + len;
	else
	@@ -433,6 +442,11 @@ static unsigned char asn1_oid_decode(str
	unsigned long *optr;

	size = eoc - ctx->pointer + 1;
	+
	+ /* first subid actually encodes first two subids */
	+ if (size < 2 \|\| size > ULONG_MAX/sizeof(unsigned long))
	+ return 0;
	+
	oid = kmalloc(size sizeof(unsigned long), GFP_ATOMIC);
	if (*oid == NULL) {
	if (net_ratelimit())