dvb-core: Fix DoS bug in ULE decapsulation code that can be triggered by an invalid...
authorAng Way Chuang <wcang79@gmail.com>
Thu, 25 Feb 2010 01:45:03 +0000 (09:45 +0800)
committerLinus Torvalds <torvalds@linux-foundation.org>
Sat, 27 Feb 2010 01:15:44 +0000 (17:15 -0800)
ULE (Unidirectional Lightweight Encapsulation RFC 4326) decapsulation
has a bug that causes endless loop when Payload Pointer of MPEG2-TS
frame is 182 or 183.  Anyone who sends malicious MPEG2-TS frame will
cause the receiver of ULE SNDU to go into endless loop.

This patch was generated and tested against linux-2.6.32.9 and should
apply cleanly to linux-2.6.33 as well because there was only one typo
fix to dvb_net.c since v2.6.32.

This bug was brought to you by modern day Santa Claus who decided to
shower the satellite dish at Keio University with heavy snow causing
huge burst of errors.  We, receiver end, received Santa Claus's gift in
the form of kernel bug.

Care has been taken not to introduce more bug by fixing this bug, but
please scrutinize the code for I always produces buggy code.

Signed-off-by: Ang Way Chuang <wcang79@gmail.com>
Acked-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
drivers/media/dvb/dvb-core/dvb_net.c

index 8b8558fcb04280410b8761ed3d36aefbc778c27a..b11533f76195c73c5630f699732c382bd4fc6702 100644 (file)
@@ -504,6 +504,7 @@ static void dvb_net_ule( struct net_device *dev, const u8 *buf, size_t buf_len )
                                       "bytes left in TS.  Resyncing.\n", ts_remain);
                                priv->ule_sndu_len = 0;
                                priv->need_pusi = 1;
+                               ts += TS_SZ;
                                continue;
                        }