ID:

CVE-2019-9162 (NVD)

- Vulnerability Info (edit)
2019-02-25

In the Linux kernel before 4.20.12, net/ipv4/netfilter/nf_nat_snmp_basic_main.c in the SNMP NAT module has insufficient ASN.1 length checks (aka an array index error), making out-of-bounds read and write operations possible, leading to an OOPS or local privilege escalation. This affects snmp_version and snmp_helper.

Products linux_kernel
Type Improper Validation of Array Index (CWE-129)
First patch
2019-02-11
https://github.com/torvalds/linux/commit/c4c07b4d6fa1f11880eab8e076d3d060ef3f55fc
"netfilter: nf_nat_snmp_basic: add missing length checks in ASN.1 cbs The generic ASN.1 decoder infrastructure doesn't guarantee that callbacks will get as much data as they expect; callbacks have to check the `datalen` parameter before looking at `data`. Make sure that snmp_version() and snmp_helper() don't read/write beyond the end of the packet data. (Also move the..."
assignment to `pdata` down below the check to make it clear that it isn't necessarily a pointer we can use before the `datalen` check.) Fixes: cc2d58634e0f ("netfilter: nf_nat_snmp_basic: use asn1 decoder library") Signed-off-by: Jann Horn <jannh@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>


Stats: +6 lines / -1 lines (total: 7 lines)
Patches http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c4c07b4d6fa1f11880eab8e076d3d060ef3f55fc
Relevant file/s ./net/ipv4/netfilter/nf_nat_snmp_basic_main.c (modified, +6, -1)
Links https://bugs.chromium.org/p/project-zero/issues/detail?id=1776
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.25
http://www.securityfocus.com/bid/107159
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.20.12
https://www.exploit-db.com/exploits/46477/
Annotation

Note:

This entry has not been annotated yet.

Please consider adding data:

linux - Tree: c4c07b4d6f

(? files)

Filter Settings
Files
Navigation
Patch data:

(on by default)


Patched area: