summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAng Way Chuang <wcang79@gmail.com>2010-02-25 09:45:03 +0800
committerLinus Torvalds <torvalds@linux-foundation.org>2010-02-26 17:15:44 -0800
commit29e1fa3565a7951cc415c634eb2b78dbdbee151d (patch)
treed98a5718ffffaea73682097cb0b120d24df2897f
parent2594a57a13f1a6c32d90d73d7ebe51d4b8d88421 (diff)
downloadlinux-29e1fa3565a7951cc415c634eb2b78dbdbee151d.tar.bz2
dvb-core: Fix DoS bug in ULE decapsulation code that can be triggered by an invalid Payload Pointer
ULE (Unidirectional Lightweight Encapsulation RFC 4326) decapsulation has a bug that causes endless loop when Payload Pointer of MPEG2-TS frame is 182 or 183. Anyone who sends malicious MPEG2-TS frame will cause the receiver of ULE SNDU to go into endless loop. This patch was generated and tested against linux-2.6.32.9 and should apply cleanly to linux-2.6.33 as well because there was only one typo fix to dvb_net.c since v2.6.32. This bug was brought to you by modern day Santa Claus who decided to shower the satellite dish at Keio University with heavy snow causing huge burst of errors. We, receiver end, received Santa Claus's gift in the form of kernel bug. Care has been taken not to introduce more bug by fixing this bug, but please scrutinize the code for I always produces buggy code. Signed-off-by: Ang Way Chuang <wcang79@gmail.com> Acked-by: Mauro Carvalho Chehab <mchehab@redhat.com> Cc: stable@kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-rw-r--r--drivers/media/dvb/dvb-core/dvb_net.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/drivers/media/dvb/dvb-core/dvb_net.c b/drivers/media/dvb/dvb-core/dvb_net.c
index 8b8558fcb042..b11533f76195 100644
--- a/drivers/media/dvb/dvb-core/dvb_net.c
+++ b/drivers/media/dvb/dvb-core/dvb_net.c
@@ -504,6 +504,7 @@ static void dvb_net_ule( struct net_device *dev, const u8 *buf, size_t buf_len )
"bytes left in TS. Resyncing.\n", ts_remain);
priv->ule_sndu_len = 0;
priv->need_pusi = 1;
+ ts += TS_SZ;
continue;
}