git.karo-electronics.de Git - karo-tx-linux.git/commit

author	Chris Wright <chrisw@sous-sol.org>
	Mon, 14 Jul 2008 18:09:23 +0000 (21:09 +0300)
committer	Adrian Bunk <bunk@kernel.org>
	Mon, 14 Jul 2008 18:09:23 +0000 (21:09 +0300)
commit	ce76a6f4392d1f1ca37fe9514daa69a99db2fcb7
tree	2238a46b0a920f375062422a008d5ed4708d837e	tree \| snapshot
parent	b9954f3d67c9f9e8611ec6c94955eecc0e309a26	commit \| diff

asn1: additional sanity checking during BER decoding (CVE-2008-1673)

- Don't trust a length which is greater than the working buffer.
  An invalid length could cause overflow when calculating buffer size
  for decoding oid.

- An oid length of zero is invalid and allows for an off-by-one error when
  decoding oid because the first subid actually encodes first 2 subids.

- A primitive encoding may not have an indefinite length.

Thanks to Wei Wang from McAfee for report.

Acked-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Adrian Bunk <bunk@kernel.org>

fs/cifs/asn1.c		diff \| blob \| history
net/ipv4/netfilter/ip_nat_snmp_basic.c		diff \| blob \| history