summaryrefslogtreecommitdiffstats
path: root/net/sctp/socket.c
diff options
context:
space:
mode:
authorDavid Howells <dhowells@redhat.com>2017-06-15 01:12:24 +0200
committerDavid S. Miller <davem@davemloft.net>2017-06-15 20:23:44 +0200
commit5f2f97656ada8d811d3c1bef503ced266fcd53a0 (patch)
treed119058f42744118b8514c9810c977609bbb26bb /net/sctp/socket.c
parentipv6: fix calling in6_ifa_hold incorrectly for dad work (diff)
downloadlinux-5f2f97656ada8d811d3c1bef503ced266fcd53a0.tar.xz
linux-5f2f97656ada8d811d3c1bef503ced266fcd53a0.zip
rxrpc: Fix several cases where a padded len isn't checked in ticket decode
This fixes CVE-2017-7482. When a kerberos 5 ticket is being decoded so that it can be loaded into an rxrpc-type key, there are several places in which the length of a variable-length field is checked to make sure that it's not going to overrun the available data - but the data is padded to the nearest four-byte boundary and the code doesn't check for this extra. This could lead to the size-remaining variable wrapping and the data pointer going over the end of the buffer. Fix this by making the various variable-length data checks use the padded length. Reported-by: 石磊 <shilei-c@360.cn> Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-by: Marc Dionne <marc.c.dionne@auristor.com> Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to '')
0 files changed, 0 insertions, 0 deletions