[kernel] r6649 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: patches patches/series

Sat May 20 16:31:51 UTC 2006

Author: dannf
Date: Sat May 20 16:31:50 2006
New Revision: 6649

Added:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/sctp-hb-ack-overflow.dpatch
Modified:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge3

Log:
* sctp-hb-ack-overflow.dpatch
  [SECURITY] Fix a remote buffer overflow that can result from a badly
  formatted HB-ACK chunk
  See CVE-2006-1857

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================

--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	Sat May 20 16:31:50 2006
@@ -88,8 +88,12 @@
   * nfs-another-O_DIRECT-fix.dpatch
     [SECURITY] Fix a potential local DoS vulnerability in the NFS O_DIRECT code
     See CVE-2006-0555
+  * sctp-hb-ack-overflow.dpatch
+    [SECURITY] Fix a remote buffer overflow that can result from a badly
+    formatted HB-ACK chunk
+    See CVE-2006-1857
 
- -- dann frazier <dannf at debian.org>  Sat, 20 May 2006 02:55:31 -0500
+ -- dann frazier <dannf at debian.org>  Sat, 20 May 2006 11:30:27 -0500
 
 kernel-source-2.6.8 (2.6.8-16sarge2) stable-security; urgency=high
 

Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/sctp-hb-ack-overflow.dpatch
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/sctp-hb-ack-overflow.dpatch	Sat May 20 16:31:50 2006
@@ -0,0 +1,31 @@
+From: Vladislav Yasevich <vladislav.yasevich at hp.com>
+Date: Fri, 19 May 2006 21:25:53 +0000 (-0700)
+Subject: [SCTP]: Validate the parameter length in HB-ACK chunk.
+X-Git-Url: http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=a601266e4f3c479790f373c2e3122a766d123652
+
+[SCTP]: Validate the parameter length in HB-ACK chunk.
+
+If SCTP receives a badly formatted HB-ACK chunk, it is possible
+that we may access invalid memory and potentially have a buffer
+overflow.  We should really make sure that the chunk format is
+what we expect, before attempting to touch the data.
+
+Signed-off-by: Vlad Yasevich <vladislav.yasevich at hp.com>
+Signed-off-by: Sridhar Samudrala <sri at us.ibm.com>
+---
+
+--- a/net/sctp/sm_statefuns.c
++++ b/net/sctp/sm_statefuns.c
+@@ -1019,6 +1019,12 @@ sctp_disposition_t sctp_sf_backbeat_8_3(
+ 						  commands);
+ 
+ 	hbinfo = (sctp_sender_hb_info_t *) chunk->skb->data;
++	/* Make sure that the length of the parameter is what we expect */
++	if (ntohs(hbinfo->param_hdr.length) !=
++				    sizeof(sctp_sender_hb_info_t)) {
++		return SCTP_DISPOSITION_DISCARD;
++	}
++
+ 	from_addr = hbinfo->daddr;
+ 	link = sctp_assoc_lookup_paddr(asoc, &from_addr);
+ 

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge3
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge3	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge3	Sat May 20 16:31:50 2006
@@ -24,3 +24,4 @@
 + s390-strnlen_user-return.dpatch
 + xfs-ftruncate-leak.dpatch
 + nfs-another-O_DIRECT-fix.dpatch
++ sctp-hb-ack-overflow.dpatch

