eab38dfd66
commit 5f2f97656ada8d811d3c1bef503ced266fcd53a0 upstream. This fixes CVE-2017-7482. When a kerberos 5 ticket is being decoded so that it can be loaded into an rxrpc-type key, there are several places in which the length of a variable-length field is checked to make sure that it's not going to overrun the available data - but the data is padded to the nearest four-byte boundary and the code doesn't check for this extra. This could lead to the size-remaining variable wrapping and the data pointer going over the end of the buffer. Fix this by making the various variable-length data checks use the padded length. Reported-by: 石磊 <shilei-c@360.cn> Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-by: Marc Dionne <marc.c.dionne@auristor.com> Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|---|---|---|
| .. | ||
| af_rxrpc.c | ||
| ar-accept.c | ||
| ar-ack.c | ||
| ar-call.c | ||
| ar-connection.c | ||
| ar-connevent.c | ||
| ar-error.c | ||
| ar-input.c | ||
| ar-internal.h | ||
| ar-key.c | ||
| ar-local.c | ||
| ar-output.c | ||
| ar-peer.c | ||
| ar-proc.c | ||
| ar-recvmsg.c | ||
| ar-security.c | ||
| ar-skbuff.c | ||
| ar-transport.c | ||
| Kconfig | ||
| Makefile | ||
| rxkad.c | ||
| sysctl.c | ||