rpms/kernel/F-10 linux-2.6-net-sctp-avoid-memory-overflow-while-FWD-TSN-chunk-is-r.patch, NONE, 1.1 kernel.spec, 1.1218, 1.1219
Chuck Ebbert
cebbert at fedoraproject.org
Mon Jan 19 21:55:17 UTC 2009
- Previous message (by thread): rpms/selinux-policy/devel policy-20090105.patch, 1.9, 1.10 selinux-policy.spec, 1.768, 1.769
- Next message (by thread): rpms/gnomad2/F-9 .cvsignore, 1.14, 1.15 gnomad2.spec, 1.27, 1.28 sources, 1.14, 1.15
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: cebbert
Update of /cvs/pkgs/rpms/kernel/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv15711
Modified Files:
kernel.spec
Added Files:
linux-2.6-net-sctp-avoid-memory-overflow-while-FWD-TSN-chunk-is-r.patch
Log Message:
CVE-2009-0065: buffer overflow in net/sctp/sm_statefuns.c
in the Stream Control Transmission Protocol
linux-2.6-net-sctp-avoid-memory-overflow-while-FWD-TSN-chunk-is-r.patch:
--- NEW FILE linux-2.6-net-sctp-avoid-memory-overflow-while-FWD-TSN-chunk-is-r.patch ---
From: Wei Yongjun <yjwei at cn.fujitsu.com>
Date: Fri, 26 Dec 2008 00:58:11 +0000 (-0800)
Subject: sctp: Avoid memory overflow while FWD-TSN chunk is received with bad stream ID
X-Git-Tag: v2.6.29-rc1~581^2~75
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=9fcb95a105758b81ef0131cd18e2db5149f13e95
sctp: Avoid memory overflow while FWD-TSN chunk is received with bad stream ID
If FWD-TSN chunk is received with bad stream ID, the sctp will not do the
validity check, this may cause memory overflow when overwrite the TSN of
the stream ID.
The FORWARD-TSN chunk is like this:
FORWARD-TSN chunk
Type = 192
Flags = 0
Length = 172
NewTSN = 99
Stream = 10000
StreamSequence = 0xFFFF
This patch fix this problem by discard the chunk if stream ID is not
less than MIS.
Signed-off-by: Wei Yongjun <yjwei at cn.fujitsu.com>
Signed-off-by: Vlad Yasevich <vladislav.yasevich at hp.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
---
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index 9f2a3eb..1c4e5d6 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -3689,6 +3689,7 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn(const struct sctp_endpoint *ep,
{
struct sctp_chunk *chunk = arg;
struct sctp_fwdtsn_hdr *fwdtsn_hdr;
+ struct sctp_fwdtsn_skip *skip;
__u16 len;
__u32 tsn;
@@ -3718,6 +3719,12 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn(const struct sctp_endpoint *ep,
if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)
goto discard_noforce;
+ /* Silently discard the chunk if stream-id is not valid */
+ sctp_walk_fwdtsn(skip, chunk) {
+ if (ntohs(skip->stream) >= asoc->c.sinit_max_instreams)
+ goto discard_noforce;
+ }
+
sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));
if (len > sizeof(struct sctp_fwdtsn_hdr))
sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,
@@ -3749,6 +3756,7 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn_fast(
{
struct sctp_chunk *chunk = arg;
struct sctp_fwdtsn_hdr *fwdtsn_hdr;
+ struct sctp_fwdtsn_skip *skip;
__u16 len;
__u32 tsn;
@@ -3778,6 +3786,12 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn_fast(
if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)
goto gen_shutdown;
+ /* Silently discard the chunk if stream-id is not valid */
+ sctp_walk_fwdtsn(skip, chunk) {
+ if (ntohs(skip->stream) >= asoc->c.sinit_max_instreams)
+ goto gen_shutdown;
+ }
+
sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));
if (len > sizeof(struct sctp_fwdtsn_hdr))
sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,
Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-10/kernel.spec,v
retrieving revision 1.1218
retrieving revision 1.1219
diff -u -r1.1218 -r1.1219
--- kernel.spec 19 Jan 2009 06:21:31 -0000 1.1218
+++ kernel.spec 19 Jan 2009 21:54:46 -0000 1.1219
@@ -657,6 +657,9 @@
# Fix DEBUG_SHIRQ problem in tulip driver. (454575)
Patch2030: linux-2.6-net-tulip-interrupt.patch
+# CVE-2009-0065
+Patch2031: linux-2.6-net-sctp-avoid-memory-overflow-while-FWD-TSN-chunk-is-r.patch
+
# olpc fixes
Patch2040: linux-2.6-olpc-speaker-out.patch
@@ -1175,6 +1178,8 @@
ApplyPatch linux-2.6-net-tulip-interrupt.patch
+ApplyPatch linux-2.6-net-sctp-avoid-memory-overflow-while-FWD-TSN-chunk-is-r.patch
+
ApplyPatch linux-2.6-olpc-speaker-out.patch
ApplyPatch linux-2.6-serial.patch
@@ -1776,6 +1781,10 @@
%kernel_variant_files -k vmlinux %{with_kdump} kdump
%changelog
+* Mon Jan 19 2009 Chuck Ebbert <cebbert at redhat.com>
+- CVE-2009-0065: buffer overflow in net/sctp/sm_statefuns.c
+ in the Stream Control Transmission Protocol
+
* Mon Jan 19 2009 Kyle McMartin <kyle at redhat.com>
- execshield fixes: should no longer generate spurious handled GPFs,
fixes randomization of executables. also some clean ups.
- Previous message (by thread): rpms/selinux-policy/devel policy-20090105.patch, 1.9, 1.10 selinux-policy.spec, 1.768, 1.769
- Next message (by thread): rpms/gnomad2/F-9 .cvsignore, 1.14, 1.15 gnomad2.spec, 1.27, 1.28 sources, 1.14, 1.15
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list