| From stable-bounces@linux.kernel.org Thu Aug 31 23:13:57 2006 |
| Message-ID: <42895.10.207.160.203.1157091181.squirrel@10.207.160.104> |
| Date: Fri, 1 Sep 2006 14:13:01 +0800 (MYT) |
| From: "Ang Way Chuang" <wcang@nrg.cs.usm.my> |
| To: stable@kernel.org |
| Cc: chteh@nrg.cs.usm.my, vendor-sec@lst.de, Greg KH <greg@kroah.com>, |
| "Luiz Fernando N. Capitulino" <lcapitulino@mandriva.com.br>, |
| tcwan@cs.usm.my |
| Subject: dvb-core: Proper handling ULE SNDU length of 0 (CVE-2006-4623) |
| |
| From: Ang Way Chuang <wcang@nrg.cs.usm.my> |
| |
| ULE (Unidirectional Lightweight Encapsulation RFC 4326) decapsulation |
| code has a bug that allows an attacker to send a malformed ULE packet |
| with SNDU length of 0 and bring down the receiving machine. This patch |
| fix the bug and has been tested on version 2.6.17.11. This bug is 100% |
| reproducible and the modified source code (GPL) used to produce this bug |
| will be posted on http://nrg.cs.usm.my/downloads.htm shortly. The |
| kernel will produce a dump during CRC32 checking on faulty ULE packet. |
| |
| |
| Signed-off-by: Ang Way Chuang <wcang@nrg.cs.usm.my> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| --- |
| drivers/media/dvb/dvb-core/dvb_net.c | 3 ++- |
| 1 file changed, 2 insertions(+), 1 deletion(-) |
| |
| --- linux-2.6.17.13.orig/drivers/media/dvb/dvb-core/dvb_net.c |
| +++ linux-2.6.17.13/drivers/media/dvb/dvb-core/dvb_net.c |
| @@ -492,7 +492,8 @@ static void dvb_net_ule( struct net_devi |
| } else |
| priv->ule_dbit = 0; |
| |
| - if (priv->ule_sndu_len > 32763) { |
| + if (priv->ule_sndu_len > 32763 || |
| + priv->ule_sndu_len < ((priv->ule_dbit) ? 4 : 4 + ETH_ALEN)) { |
| printk(KERN_WARNING "%lu: Invalid ULE SNDU length %u. " |
| "Resyncing.\n", priv->ts_count, priv->ule_sndu_len); |
| priv->ule_sndu_len = 0; |