mirror of
https://github.com/torvalds/linux.git
synced 2024-11-23 20:51:44 +00:00
5f2f97656a
This fixes CVE-2017-7482. When a kerberos 5 ticket is being decoded so that it can be loaded into an rxrpc-type key, there are several places in which the length of a variable-length field is checked to make sure that it's not going to overrun the available data - but the data is padded to the nearest four-byte boundary and the code doesn't check for this extra. This could lead to the size-remaining variable wrapping and the data pointer going over the end of the buffer. Fix this by making the various variable-length data checks use the padded length. Reported-by: 石磊 <shilei-c@360.cn> Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-by: Marc Dionne <marc.c.dionne@auristor.com> Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
---|---|---|
.. | ||
af_rxrpc.c | ||
ar-internal.h | ||
call_accept.c | ||
call_event.c | ||
call_object.c | ||
conn_client.c | ||
conn_event.c | ||
conn_object.c | ||
conn_service.c | ||
input.c | ||
insecure.c | ||
Kconfig | ||
key.c | ||
local_event.c | ||
local_object.c | ||
Makefile | ||
misc.c | ||
output.c | ||
peer_event.c | ||
peer_object.c | ||
proc.c | ||
recvmsg.c | ||
rxkad.c | ||
security.c | ||
sendmsg.c | ||
skbuff.c | ||
sysctl.c | ||
utils.c |