Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756341AbcKBUGT (ORCPT ); Wed, 2 Nov 2016 16:06:19 -0400 Received: from einhorn.in-berlin.de ([192.109.42.8]:41804 "EHLO einhorn.in-berlin.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755761AbcKBUGS (ORCPT ); Wed, 2 Nov 2016 16:06:18 -0400 X-Envelope-From: stefanr@s5r6.in-berlin.de Date: Wed, 2 Nov 2016 21:05:54 +0100 From: Stefan Richter To: linux1394-devel@lists.sourceforge.net Cc: linux-kernel@vger.kernel.org, Eyal Itkin Subject: [PATCH 0/3] firewire: net: IP-over-1394 link fragmentation fixes Message-ID: <20161102210554.23b24d74@kant> X-Mailer: Claws Mail 3.13.2 (GTK+ 2.24.31; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; boundary="Sig_/zfHCE9BBzPf9LjBukRJ8YZY"; protocol="application/pgp-signature" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 3196 Lines: 74 --Sig_/zfHCE9BBzPf9LjBukRJ8YZY Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable The following patches 1/3 firewire: net: guard against rx buffer overflows 2/3 firewire: net: fix fragmented datagram_size off-by-one 3/3 firewire: net: max MTU off by one fix a few long-standing bugs of the IP-over-1394 driver firewire-net related to reception and transmission of fragmented datagrams: - RX: Missing validation of fragment offset and size makes the driver vulnerable to buffer overflows, potentially leading to remote=C2=B9 code execution. Reported by Eyal Itkin. =C2=B9) The vulnerability cannot be triggered by malformed IP datagrams, but by malformed IEEE 1394 packets sent from other FireWire nodes to the 1394 broadcast channel or to firewire-net's unicast FIFO, or can be sent from the local node to the unicast FIFO by sufficiently privileged userland. I.e. an attack can only originate from somewhere on the FireWire bus, not from another network that is bridged to the FireWire bus. - RX: Missing validation of unfragmented and fragmented datagrams for minimum packet size before looking at GASP header and encapsulation header. - RX and TX: The datagram_size field of fragmented datagrams was read and written incorrectly; an offset of +/-1 needs to be applied. This prevents fragmented traffic from/to nodes which run OS X, Windows XP, or Linux' older eth1394 driver. (Traffic from Win XP would eventually be retried with smaller MTU and possibly succeed slowly despite the bug.) Patch 1/3 is obviously urgent. Patch 2/3 is a bit of a bother because while it fixes fragmented RX/TX with OS X, Win XP, and eth1394, it does disrupt fragmented RX/TX with Linux nodes which run an unfixed firewire-net. Patch 3/3 will only apply in conjunction with changes that are queued up in the net-next git tree, hence this patch will wait until net-next was merged. Patches 1+2/3 are already pushed out to linux1394.git "testing" and "for-next" branches, but I still like to get review comments before I send a pull request. --=20 Stefan Richter -=3D=3D=3D=3D=3D=3D----- =3D-=3D=3D ---=3D- http://arcgraph.de/sr/ --Sig_/zfHCE9BBzPf9LjBukRJ8YZY Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iQIcBAEBCAAGBQJYGkciAAoJEHnzb7JUXXnQtOgQAOYo0gO1rGszfXFWHFY5GGJf CCRmWK4aVG00yiPTpgSC8aYJ/4B+fdwu81wMULt1pB+eJXzErXqlvsEhrV8bAuG/ qu7ufENFSCWL964+9Emei1xfX0f32svWyf3eNq9V4/KrAt4KN8u7IDav3FWlzzPc 1RuTkRxP/fpcYiX1SAVgbV3L1Nh/j5pk2P6UOidxISkE4z+apkUkxRS6npi+G0WG Z0FcqLFDhzRpGQ/Y8lgP4IfjVHyeJm5KP2FQU2omsNEOVqxG1EWeLkC9SPd50Vs6 6OGpGL4JvEtZsmztUkTe4xJHsKmXCA/cHV0prgfe8N40Iivhv3XfNEKEzy9qecr8 boJs31EozB6VgdcHC1tz6LnWYEOrxNKnsEvhlrrfjF/UcrQM1O1cDe1gRplPqSXD QQ/GXDIT7AT9Aj7FqIqZ35GfyUm8apNITXdIjmF/RZ6j7X1Fef+aaaF2n/Cp4Ug5 r31qbDPASec9lGq7FjxVZqDKBQkFzBdd5zJak++cml+Tiq7S9kugA3uMAsHaKpl0 djzLZuVNG7p9zUIijj4O4Q0njld/oy0QXaRbyR0q9drSP9JQLdMbl2tmgyBX+1T7 Lj9y9dFcIX+h5Gec3X9Kjv5bQ2BM0TApxijnAqFVcraypRYCYNURGcl/UvFEwpUO bpZKMFLmV32VlNh8v3Y/ =MIvY -----END PGP SIGNATURE----- --Sig_/zfHCE9BBzPf9LjBukRJ8YZY--