trunk/2.6.18/30072_asn1-ber-decoding-checks.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103

From: Chris Wright <chrisw@sous-sol.org>
Date: Wed, 4 Jun 2008 16:16:33 +0000 (-0700)
Subject: asn1: additional sanity checking during BER decoding
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=ddb2c43594f22843e9f3153da151deaba1a834c5

asn1: additional sanity checking during BER decoding

- Don't trust a length which is greater than the working buffer.
  An invalid length could cause overflow when calculating buffer size
  for decoding oid.

- An oid length of zero is invalid and allows for an off-by-one error when
  decoding oid because the first subid actually encodes first 2 subids.

- A primitive encoding may not have an indefinite length.

Thanks to Wei Wang from McAfee for report.

Cc: Steven French <sfrench@us.ibm.com>
Cc: stable@kernel.org
Acked-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
---

Backported to Debian's 2.6.18 by dann frazier <dannf@debian.org>

diff -urpN linux-source-2.6.18.orig/fs/cifs/asn1.c linux-source-2.6.18/fs/cifs/asn1.c
--- linux-source-2.6.18.orig/fs/cifs/asn1.c	2006-09-19 21:42:06.000000000 -0600
+++ linux-source-2.6.18/fs/cifs/asn1.c	2008-06-05 21:52:32.000000000 -0600
@@ -182,6 +182,11 @@ asn1_length_decode(struct asn1_ctx *ctx,
 			}
 		}
 	}
+
+	/* don't trust len bigger than ctx buffer */
+	if (*len > ctx->end - ctx->pointer)
+		return 0;
+
 	return 1;
 }
 
@@ -199,6 +204,10 @@ asn1_header_decode(struct asn1_ctx *ctx,
 	if (!asn1_length_decode(ctx, &def, &len))
 		return 0;
 
+	/* primitive shall be definite, indefinite shall be constructed */
+	if (*con == ASN1_PRI && !def)
+		return 0;
+
 	if (def)
 		*eoc = ctx->pointer + len;
 	else
@@ -385,6 +394,11 @@ asn1_oid_decode(struct asn1_ctx *ctx,
 	unsigned long *optr;
 
 	size = eoc - ctx->pointer + 1;
+
+	/* first subid actually encodes first two subids */
+	if (size < 2 || size > ULONG_MAX/sizeof(unsigned long))
+		return 0;
+
 	*oid = kmalloc(size * sizeof (unsigned long), GFP_ATOMIC);
 	if (*oid == NULL) {
 		return 0;
diff -urpN linux-source-2.6.18.orig/net/ipv4/netfilter/ip_nat_snmp_basic.c linux-source-2.6.18/net/ipv4/netfilter/ip_nat_snmp_basic.c
--- linux-source-2.6.18.orig/net/ipv4/netfilter/ip_nat_snmp_basic.c	2006-09-19 21:42:06.000000000 -0600
+++ linux-source-2.6.18/net/ipv4/netfilter/ip_nat_snmp_basic.c	2008-06-05 21:53:29.000000000 -0600
@@ -235,6 +235,11 @@ static unsigned char asn1_length_decode(
 			}
 		}
 	}
+
+	/* don't trust len bigger than ctx buffer */
+	if (*len > ctx->end - ctx->pointer)
+		return 0;
+
 	return 1;
 }
 
@@ -253,6 +258,10 @@ static unsigned char asn1_header_decode(
 	if (!asn1_length_decode(ctx, &def, &len))
 		return 0;
 		
+	/* primitive shall be definite, indefinite shall be constructed */
+	if (*con == ASN1_PRI && !def)
+		return 0;
+
 	if (def)
 		*eoc = ctx->pointer + len;
 	else
@@ -437,6 +446,11 @@ static unsigned char asn1_oid_decode(str
 	unsigned long *optr;
 	
 	size = eoc - ctx->pointer + 1;
+
+	/* first subid actually encodes first two subids */
+	if (size < 2 || size > ULONG_MAX/sizeof(unsigned long))
+		return 0;
+
 	*oid = kmalloc(size * sizeof(unsigned long), GFP_ATOMIC);
 	if (*oid == NULL) {
 		if (net_ratelimit())