www.infradead.org Git - users/jedix/linux-maple.git/commit

author	David Howells <dhowells@redhat.com>
	Wed, 14 Jun 2017 23:12:24 +0000 (00:12 +0100)
committer	Kirtikar Kashyap <kirtikar.kashyap@oracle.com>
	Fri, 29 Sep 2017 18:27:33 +0000 (11:27 -0700)
commit	70d300d0273d1f4505698dedcbaedec7dfa371f6
tree	44337a59b1f937a538964155095065243861ddec	tree
parent	5c05d8f5920ed35dc15e39db679fbd1825892324	commit \| diff

rxrpc: Fix several cases where a padded len isn't checked in ticket decode

This fixes CVE-2017-7482.

When a kerberos 5 ticket is being decoded so that it can be loaded into an
rxrpc-type key, there are several places in which the length of a
variable-length field is checked to make sure that it's not going to
overrun the available data - but the data is padded to the nearest
four-byte boundary and the code doesn't check for this extra. This could
lead to the size-remaining variable wrapping and the data pointer going
over the end of the buffer.

Fix this by making the various variable-length data checks use the padded
length.

Reported-by: 石磊 <shilei-c@360.cn>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Marc Dionne <marc.c.dionne@auristor.com>
Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(backported from commit 5f2f97656ada8d811d3c1bef503ced266fcd53a0)

Orabug: 26376434
CVE: CVE-2017-7482

Signed-off-by: Kirtikar Kashyap <kirtikar.kashyap@oracle.com>
Reviewed-by: Jack Vogel <jack.vogel@oracle.com>