debian/patches/CVE-2016-2857-net-check-packet-payload-length.patch

   1 From 8878799dd147abb25f184e9a6c1133d65ac76e37 Mon Sep 17 00:00:00 2001
   2 From: Prasad J Pandit <pjp@fedoraproject.org>
   3 Date: Wed, 2 Mar 2016 17:29:58 +0530
   4 Subject: [PATCH] net: check packet payload length
   5
   6 While computing IP checksum, 'net_checksum_calculate' reads
   7 payload length from the packet. It could exceed the given 'data'
   8 buffer size. Add a check to avoid it.
   9
  10 Reported-by: Liu Ling <liuling-it@360.cn>
  11 Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
  12 Signed-off-by: Jason Wang <jasowang@redhat.com>
  13 ---
  14  net/checksum.c | 10 ++++++++--
  15  1 file changed, 8 insertions(+), 2 deletions(-)
  16
  17 diff --git a/net/checksum.c b/net/checksum.c
  18 index 14c0855..0942437 100644
  19 --- a/net/checksum.c
  20 +++ b/net/checksum.c
  21 @@ -59,6 +59,11 @@ void net_checksum_calculate(uint8_t *data, int length)
  22      int hlen, plen, proto, csum_offset;
  23      uint16_t csum;
  24
  25 +    /* Ensure data has complete L2 & L3 headers. */
  26 +    if (length < 14 + 20) {
  27 +        return;
  28 +    }
  29 +
  30      if ((data[14] & 0xf0) != 0x40)
  31         return; /* not IPv4 */
  32      hlen  = (data[14] & 0x0f) * 4;
  33 @@ -76,8 +81,9 @@ void net_checksum_calculate(uint8_t *data, int length)
  34         return;
  35      }
  36
  37 -    if (plen < csum_offset+2)
  38 -       return;
  39 +    if (plen < csum_offset + 2 || 14 + hlen + plen > length) {
  40 +        return;
  41 +    }
  42
  43      data[14+hlen+csum_offset]   = 0;
  44      data[14+hlen+csum_offset+1] = 0;
  45 --
  46 2.1.4
  47