• Ang Way Chuang's avatar
    dvb-core: Fix DoS bug in ULE decapsulation code that can be triggered by an invalid Payload Pointer · 29e1fa35
    Ang Way Chuang authored
    ULE (Unidirectional Lightweight Encapsulation RFC 4326) decapsulation
    has a bug that causes endless loop when Payload Pointer of MPEG2-TS
    frame is 182 or 183.  Anyone who sends malicious MPEG2-TS frame will
    cause the receiver of ULE SNDU to go into endless loop.
    
    This patch was generated and tested against linux-2.6.32.9 and should
    apply cleanly to linux-2.6.33 as well because there was only one typo
    fix to dvb_net.c since v2.6.32.
    
    This bug was brought to you by modern day Santa Claus who decided to
    shower the satellite dish at Keio University with heavy snow causing
    huge burst of errors.  We, receiver end, received Santa Claus's gift in
    the form of kernel bug.
    
    Care has been taken not to introduce more bug by fixing this bug, but
    please scrutinize the code for I always produces buggy code.
    Signed-off-by: default avatarAng Way Chuang <wcang79@gmail.com>
    Acked-by: default avatarMauro Carvalho Chehab <mchehab@redhat.com>
    Cc: stable@kernel.org
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    29e1fa35
dvb_net.c 41.9 KB