media: dvb-net: fix OOB access in ULE extension header tables

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The ule_mandatory_ext_handlers[] and ule_optional_ext_handlers[] tables
in handle_one_ule_extension() are declared with 255 elements (valid
indices 0-254), but the index htype is derived from network-controlled
data as (ule_sndu_type & 0x00FF), giving a range of 0-255. When
htype equals 255, an out-of-bounds read occurs on the function pointer
table, and the OOB value may be called as a function pointer.

Add a bounds check on htype against the array size before either table
is accessed. Out-of-range values now cause the SNDU to be discarded.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Ariel Silver <arielsilver77@gmail.com>
Signed-off-by: Ariel Silver <arielsilver77@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>

authored by

Ariel Silver and committed by

Mauro Carvalho Chehab 2 months ago 24d87712 6de23f81

1 changed file

expand all

drivers

media

dvb-core

dvb_net.c

drivers/media/dvb-core/dvb_net.c

··· 228 228 unsigned char hlen = (p->ule_sndu_type & 0x0700) >> 8; 229 229 unsigned char htype = p->ule_sndu_type & 0x00FF; 230 230 231 + if (htype >= ARRAY_SIZE(ule_mandatory_ext_handlers)) 232 + return -1; 233 + 231 234 /* Discriminate mandatory and optional extension headers. */ 232 235 if (hlen == 0) { 233 236 /* Mandatory extension header */

Configure Feed

Configure Feed