linux/net/rxrpc
David Howells 5f2f97656a rxrpc: Fix several cases where a padded len isn't checked in ticket decode
This fixes CVE-2017-7482.

When a kerberos 5 ticket is being decoded so that it can be loaded into an
rxrpc-type key, there are several places in which the length of a
variable-length field is checked to make sure that it's not going to
overrun the available data - but the data is padded to the nearest
four-byte boundary and the code doesn't check for this extra.  This could
lead to the size-remaining variable wrapping and the data pointer going
over the end of the buffer.

Fix this by making the various variable-length data checks use the padded
length.

Reported-by: 石磊 <shilei-c@360.cn>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Marc Dionne <marc.c.dionne@auristor.com>
Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-15 14:23:44 -04:00
..
af_rxrpc.c rxrpc: Fix deadlock between call creation and sendmsg/recvmsg 2017-03-01 09:50:58 -08:00
ar-internal.h rxrpc: Trace protocol errors in received packets 2017-04-06 11:09:39 +01:00
call_accept.c rxrpc: Use negative error codes in rxrpc_call struct 2017-04-06 10:11:56 +01:00
call_event.c rxrpc: Use negative error codes in rxrpc_call struct 2017-04-06 10:11:56 +01:00
call_object.c rxrpc: Use negative error codes in rxrpc_call struct 2017-04-06 10:11:56 +01:00
conn_client.c rxrpc: Trace client call connection 2017-04-06 11:10:41 +01:00
conn_event.c rxrpc: Trace protocol errors in received packets 2017-04-06 11:09:39 +01:00
conn_object.c rxrpc: Add some more tracing 2017-01-05 11:39:12 +00:00
conn_service.c rxrpc: Add connection tracepoint and client conn state tracepoint 2016-09-17 11:24:03 +01:00
input.c rxrpc: Trace changes in a call's receive window size 2017-04-06 11:10:41 +01:00
insecure.c rxrpc: Trace protocol errors in received packets 2017-04-06 11:09:39 +01:00
Kconfig rxrpc: Add config to inject packet loss 2016-09-17 11:24:04 +01:00
key.c rxrpc: Fix several cases where a padded len isn't checked in ticket decode 2017-06-15 14:23:44 -04:00
local_event.c rxrpc: The offset field in struct rxrpc_skb_priv is unnecessary 2016-09-30 14:39:28 +01:00
local_object.c rxrpc: Reduce the rxrpc_local::services list to a pointer 2016-09-29 22:57:47 +01:00
Makefile rxrpc: Change module filename to rxrpc.ko 2017-02-17 15:09:19 -05:00
misc.c rxrpc: Fix handling of enums-to-string translation in tracing 2017-01-05 10:38:33 +00:00
output.c rxrpc: Don't request an ACK on the last DATA packet of a call's Tx phase 2016-10-06 08:11:51 +01:00
peer_event.c rxrpc: Use negative error codes in rxrpc_call struct 2017-04-06 10:11:56 +01:00
peer_object.c rxrpc: Fix checking of error from ip6_route_output() 2016-10-13 08:43:17 +01:00
proc.c rxrpc: Show a call's hard-ACK cursors in /proc/net/rxrpc_calls 2017-01-05 11:39:44 +00:00
recvmsg.c rxrpc: Trace protocol errors in received packets 2017-04-06 11:09:39 +01:00
rxkad.c rxrpc: Trace protocol errors in received packets 2017-04-06 11:09:39 +01:00
security.c rxrpc: Reduce the rxrpc_local::services list to a pointer 2016-09-29 22:57:47 +01:00
sendmsg.c rxrpc: Trace protocol errors in received packets 2017-04-06 11:09:39 +01:00
skbuff.c rxrpc: Make Tx loss-injection go through normal return and adjust tracing 2016-09-29 22:37:15 +01:00
sysctl.c rxrpc: Keep the call timeouts as ktimes rather than jiffies 2016-09-30 14:40:11 +01:00
utils.c rxrpc: Make IPv6 support conditional on CONFIG_IPV6 2016-09-17 03:58:45 -04:00