From: Stefan Richter <stefanr@s5r6.in-berlin.de>
Date: Sat, 29 Oct 2016 19:28:18 +0000 (+0200)
Subject: firewire: net: guard against rx buffer overflows
X-Git-Tag: v3.2.84~9
X-Git-Url: http://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4538dfea79538a98e1468088b05627f82ac69789;p=pandora-kernel.git

firewire: net: guard against rx buffer overflows

commit 667121ace9dbafb368618dbabcf07901c962ddac upstream.

The IP-over-1394 driver firewire-net lacked input validation when
handling incoming fragmented datagrams.  A maliciously formed fragment
with a respectively large datagram_offset would cause a memcpy past the
datagram buffer.

So, drop any packets carrying a fragment with offset + length larger
than datagram_size.

In addition, ensure that
  - GASP header, unfragmented encapsulation header, or fragment
    encapsulation header actually exists before we access it,
  - the encapsulated datagram or fragment is of nonzero size.

Reported-by: Eyal Itkin <eyal.itkin@gmail.com>
Reviewed-by: Eyal Itkin <eyal.itkin@gmail.com>
Fixes: CVE 2016-8633
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
[bwh: Backported to 3.2: fwnet_receive_broadcast() never matches IPv6 packets]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---

Reading git-diff-tree failed