ULE (Unidirectional Lightweight Encapsulation RFC 4326) decapsulation code
has a bug that allows an attacker to send a malformed ULE packet with SNDU
length of 0 and bring down the receiving machine. This patch fix the bug and
apply to kernel 2.6.17.8.
Signed-off-by: Ang Way Chuang <[email protected]>
---
diff -uprN linux-2.6.17.8/drivers/media/dvb/dvb-core/dvb_net.c linux-2.6.17.8-fix/drivers/media/dvb/dvb-core/dvb_net.c
--- linux-2.6.17.8/drivers/media/dvb/dvb-core/dvb_net.c 2006-08-07 12:18:54.000000000 +0800
+++ linux-2.6.17.8-fix/drivers/media/dvb/dvb-core/dvb_net.c 2006-08-21 11:09:12.000000000 +0800
@@ -492,7 +492,7 @@ static void dvb_net_ule( struct net_devi
} else
priv->ule_dbit = 0;
- if (priv->ule_sndu_len > 32763) {
+ if (priv->ule_sndu_len > 32763 || priv->ule_sndu_len < ((priv->ule_dbit) ? 4 : 4 + ETH_ALEN)) {
printk(KERN_WARNING "%lu: Invalid ULE SNDU length %u. "
"Resyncing.\n", priv->ts_count, priv->ule_sndu_len);
priv->ule_sndu_len = 0;