| Description: | In the Linux kernel, the following vulnerability has been resolved:
tty: n_gsm: fix possible out-of-bounds in gsm0_receive() Assuming the
following: - side A configures the n_gsm in basic option mode - side B
sends the header of a basic option mode frame with data length 1 -
side A switches to advanced option mode - side B sends 2 data bytes
which exceeds gsm->len Reason: gsm->len is not used in advanced option
mode. - side A switches to basic option mode - side B keeps sending
until gsm0_receive() writes past gsm->buf Reason: Neither gsm->state
nor gsm->len have been reset after reconfiguration. Fix this by
changing gsm->count to gsm->len comparison from equal to less than.
Also add upper limit checks against the constant MAX_MRU in
gsm0_receive() and gsm1_receive() to harden against memory corruption
of gsm->len and gsm->mru. All other checks remain as we still need to
limit the data according to the user configuration and actual payload
size.
|
