Prev: vmi: disable highmem PTE allocation even when CONFIG_HIGHPTE=y
Next: [PATCH] Export per-tid and per-tgid cputime in nanoseconds.
From: Ang Way Chuang on 26 Feb 2010 20:50
Hi guys,
Sorry, I have to resend this email because I think my email didn't
through linux-media, stable or security mailing list.


ULE (Unidirectional Lightweight Encapsulation RFC 4326) decapsulation
has a bug that causes endless loop when Payload Pointer of MPEG2-TS
frame is 182 or 183. Anyone who sends malicious MPEG2-TS frame will
cause the receiver of ULE SNDU to go into endless loop.

This patch was generated and tested against linux-2.6.32.9 and should
apply cleanly to linux-2.6.33 as well because there was only one typo
fix to dvb_net.c since v2.6.32.

This bug was brought to you by modern day Santa Claus who decided to
shower the satellite dish at Keio University with heavy snow causing huge
burst of errors. We, receiver end, received Santa Claus's gift in the form
of kernel bug.

Care has been taken not to introduce more bug by fixing this bug, but
please scrutinize the code because I always produces buggy code.

Signed-off-by: Ang Way Chuang <wcang79(a)gmail.com>
---
--- linux-2.6.32.9/drivers/media/dvb/dvb-core/dvb_net.c 2010-02-23 23:38:51.000000000 +0800
+++ linux-2.6.32.9.new/drivers/media/dvb/dvb-core/dvb_net.c 2010-02-25 04:09:18.000000000 +0800
@@ -504,6 +504,7 @@ static void dvb_net_ule( struct net_devi
"bytes left in TS. Resyncing.\n", ts_remain);
priv->ule_sndu_len = 0;
priv->need_pusi = 1;
+ ts += TS_SZ;
continue;
}



--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo(a)vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
 | 
Pages: 1
Prev: vmi: disable highmem PTE allocation even when CONFIG_HIGHPTE=y
Next: [PATCH] Export per-tid and per-tgid cputime in nanoseconds.